托管第 3 方 Javascript 有哪些风险?
我是公司的新开发人员,主要从事前端 Web 开发。我们的销售和营销人员经常要求我们的团队在我们的网站上加入第 3 方 JavaScript。
“这是一个‘小代码片段’。我们的供应商询问您是否可以将其放在我们的主页中”
这让我非常紧张。
我知道这些脚本会减慢我们的页面速度,而且我发现在很多情况下我必须用 try/catch 块包围一些代码,以确保这些第三方错误不会影响页面上的其他脚本。
这些脚本以各种形式出现...
有些是我们托管的供应商提供的脚本......
<script src="http://www.mycompany.com/js/vendor-file.js" type="text/javascript">
有些是我们代码中的参考,但托管在外部
<script src="http://www.vendor.com/js/file.js" type="text/javascript">
...有些是内联出现在我们网站上的脚本,它通过写入 DOM 将标签插入到我们的头部
var a = document.createElement("script"); a.type = "text/javascript" ... etc.
一个较少关注的问题,但仍然很重要的是 cookie 写入——并且超过了 IE6 的 20 个 cookie 限制(是的,重要的客户群仍然在 IE6 上,它们代表了真正的 $$$) -- 因此我们要求(希望)我们域上托管的 javascript 不会丢弃任何其他 cookie。
但是,除了 cookie 问题之外——还存在哪些我需要了解或应该注意的额外风险/场景/危险——这样我才能让我们的网站和客户满意。
谢谢
-Rich
I'm a new developer at my company and I do mostly front-end web development. Our team is frequently asked by our Sales and Marketing people to incorporate 3rd party javascripts on our site.
"Here's a 'little code snippet'. Our vendor asked if you could put this in our home page"
This makes me very nervous.
I know these scripts can slow down our pages, and I've found in a number of cases I've had to surround some code with try/catch blocks to ensure that these 3rd party errors do not impact other scripts on the page.
These scripts come to me in a variety of forms ...
some are vendor supplied scripts that we host ...
<script src="http://www.mycompany.com/js/vendor-file.js" type="text/javascript">
... some are reference in our code, but hosted externally
<script src="http://www.vendor.com/js/file.js" type="text/javascript">
... and some are scripts are appear inline on our site, which insert tags into our head by writing to the DOM
var a = document.createElement("script"); a.type = "text/javascript" ... etc.
A lesser concern, but still important is cookie writing -- and exceeding the IE6's 20 cookie limit (yes, an important client base is still on IE6 and they represent real $$$) -- so we require (hope) that no javascripts hosted on our domain drops any additional cookies.
But, aside from the cookie issue -- what additional risks/scenarios/dangers exist that I need to know about or should be looking out for -- so I can keep our site and our customers happy.
Thanks
-Rich
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
“不”是一个充满力量的大词。好好运用它。
您没有义务(除非有法律和合同协议)包含来自您不知道且完全信任的来源的任何代码片段。如果您感到紧张,并且您对网站的稳定性和安全性负责,请直接说“不”。
JavaScript 是一头难以驯服的野兽。一个看起来无害的小脚本很容易让整个房子崩溃。永远不要将任何简单的脚本视为“只是一件愚蠢的小事”。只需用一个脚本替换 JQuery、AJAX 或其他库所依赖的关键功能,您的网站就会辉煌一时。
No is a big word with a lot of power. Wield it well.
You are under NO obligation (barring legal and contractual agreements) to include any code snippets from sources you do not know and fully trust. If you are nervous, and you're responsible for the stability and security of your site, JUST SAY NO.
JavaScript can be a wild beast to tame. It's very easy for one small, seemingly innocuous script to bring the whole house crashing down. Never treat any simple script like its "just a silly little thing." All it takes is for one script to replace a key function that, say, JQuery, or AJAX, or some other library relies on, and your site will go down in a blaze of glory.
供应商的服务器总是有可能受到损害,并且他们会执行某种 XSS。
There is always the possibility that a vendors server is compromised and they do some kind of XSS.
听起来您已经意识到主要的问题:减慢页面速度,并且第 3 方非托管脚本可能会中断或不存在,从而导致问题。
它还取决于这些第三方的可靠性。他们的脚本总是有可能被恶意内容替换。
It sounds like you are already aware of the main ones: Slowing down the page, and the chance of 3rd party non-hosted scripts could break or not be present, causing issues.
It also depends on the reliability of these 3rd parties. There's always the change their script could get replaced with something malicious.
为什么要为不是你编写的代码承担责任呢?如果出了什么问题,我敢打赌你的经理不会追究供应商的责任——他们会追究你的责任。所以对这个说不,即使这意味着你要换工作。
Why carry the burden of responsibility for code that you did not write? If anything goes wrong, I bet your manager won't hold the vendors responsible - they'll hold you. So say no to this one, even if it means changing your job.
IE 8+ 有一个名为 In Private Filtering 的新功能,它基本上表明,如果它从 N 个(可配置的)个域中找到相同的 javascript 文件,它就会在达到限制后将其阻止。例如,如果它是 jquery,那将很糟糕。默认情况下此功能处于禁用状态,但如果用户使用它,这仍然是一个问题。
IE 8+ has a new feature named In Private Filtering, which basically states if it finds the same javascript file from N (configureable) number of domains it just blocks it after reaching the limit. That would be bad if it was jquery for example. This is disabled by default but it's still a problem if users are using it.