Ain't No Party Like a Third-Party JS Party

Ain't No Party Like a Third-Party JS Party

0177cdce6af15e10db15b6bf5dc4e0b0?s=128

Rebecca Murphey

September 12, 2014
Tweet

Transcript

  1. Ain’t No Party Like 
 a Third-Party JS Party Rebecca

    Murphey BlendConf 2014 Charlotte, N.C.
  2. @rmurphey ~ rmurphey.com bazaarvoice.com

  3. None
  4. third-party javascript

  5. <script>      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new  Date();a=s.createElement(o),    

     m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)      })(window,document,'script','//www.google-­‐analytics.com/analytics.js','ga');   !    ga('create',  'UA-­‐143877-­‐10',  'auto');      ga('send',  'pageview');   ! </script>
  6. None
  7. None
  8. None
  9. <script  src="//display.ugc.bazaarvoice.com/static/Agileville/en_US/bvapi.js">
 </script>   <script>    $BV.ui('rr',  'show_reviews',  {  

           productId  :  'product1'      });   </script>
  10. [A] critical security error is why the web is beautiful

    and amazing, and 
 I am so happy that no one thought 
 “hey, that might be a terrible idea,” because I really don’t think we’d have as good of an ecosystem as we have today. Needless to say, it’s kind of scary that if anyone can get a script tag on your page, there’s nothing they can’t do. Alex Sexton, Stripe
  11. third-party javascript is consensual XSS

  12. None
  13. None
  14. <blockquote  class="twitter-­‐tweet"  lang="en"><p>In  1921,  early   suffragettes  often  donned  a

     bathing  suit  and  ate  pizza  in  large   groups  to  annoy  men.  <a  href="http://t.co/ oQJFND2AHJ">pic.twitter.com/oQJFND2AHJ</a></p>&mdash;  History  In   Pictures  (@historyepics)  <a  href="https://twitter.com/historyepics/ statuses/505935577444003840">August  31,  2014</a></blockquote>   ! <script  async  src="//platform.twitter.com/widgets.js"   charset="utf-­‐8"></script>  
  15. <blockquote  class="twitter-­‐tweet"  lang="en"><p>In  1921,  early   suffragettes  often  donned  a

     bathing  suit  and  ate  pizza  in  large   groups  to  annoy  men.  <a  href="http://t.co/ oQJFND2AHJ">pic.twitter.com/oQJFND2AHJ</a></p>&mdash;  History  In   Pictures  (@historyepics)  <a  href="https://twitter.com/historyepics/ statuses/505935577444003840">August  31,  2014</a></blockquote>   ! <script  async  src="//platform.twitter.com/widgets.js"   charset="utf-­‐8"></script>  
  16. 7 requests, 3 hosts

  17. 107k

  18. None
  19. 3pjs access demo

  20. third-party javascript is consensual XSS

  21. you’re a third-party JS consumer if 1. your web page

    loads a <script> 
 from a domain you don’t control 2. your JS application consumes JSONP 
 from a domain you don’t control (see #1)
  22. trust no one (except if you must) async all the

    things understand the risks: security, perf, conflicts https all the things
  23. None
  24. work everywhere BYOE(verything) be the fastest thing on the page

    tolerate insanity
  25. #undefined body double zombie scripts keypressn't

  26. https://pinboard.in/u:rmurphey/t:3pjs/

  27. @rmurphey ~ rmurphey.com bazaarvoice.com