[raesene6]

Loading third party JS is increasingly common for a lot of sites, and I tend to raise it when doing security reviews, for this reason, you're trusting the security of those 3rd parties.

There are some defenses that can be put in place. The first one is kind of awkward in many cases which is to host the JS on your own domain. There's still the risk of course that it will go off and get additional code from the 3rd party source to execute, but that can be reviewed for.

The other option is to use sub-resource integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subres...) to ensure that only scripts you've reviewed are used.

Of course you need then to make sure you're notified before the 3rd party makes changes that would break the signature.

[rhizome]

Loading third party JS is increasingly common for a lot of sites, and I tend to raise it when doing security reviews

What kind of pushback do you get and how do you handle it?

[raesene6]

To be honest I'm a external security assessor/pentester and I've not had much pushback from clients on this. That said I don't always get visibility of whether they implement our recommendations or not :)

To me, it's not really a debatable point that loading JS from a source you don't control implies trust in that source and therefore a risk that if they are compromised it affects your site.

Whether that risk is ok for a business depends on a number of factors like :-

- How trustworthy are the sources they're loading from? - What reviews have they completed on the security of those sources? - Do they have contracts in place with those sources that cover the requirement for security?