[TomGullen]

You have to have some level of trust - our ASP.net website loads quite a few Nuget packages we regularly keep up to date. Theoretically any of them say Stripe or Paypal could add nefarious code into our site to steal a bunch of stuff - there's no practical way for us to review the source code before updating.

For Javascript if you're paranoid you can add the `integrity` attribute, and most of the time you can self host the JS although all of these come with maintenance commitments.

I think it's reasonable if you trust the source (Twitter for example) to embed their third party code.

[ThePhysicist]

The difference is that you have a contractual relationship with Stripe or Paypal when you use their services. When you embed FB/Twitter/... content there's no such relationship, that's the issue.

[TomGullen]

OK bad examples, but any open source project you use via a package manager in your projects you have to trust and there's no contract or relationship there.

[ThePhysicist]

Yes but bundling packages via npm is not an issue either, it's the fact that third-party embeds transfer personal data to the third party whenever a user visits the website, that is the central issue.