1

I am building a website in which I have included third part weather html widget, the widget looks from reliable source and is trusted over web. This widget is in the form of link and a small javascript tags which are then rendered once loaded.

I wanted to know how safe will my site data will be once I load this or other widgets, will they be able to sniff my site data including cookies, html,css etc.

app
  • 15
  • 3

2 Answers2

0

When you use 3rd party JavaScript on your site, you have to trust them. You are, in effect giving them permissions to run whatever code they want in your site. That code could:

  • Read cookies that are not set as HTTP only
  • Access all the data on the page
  • Call JavaScript APIs from your server that would not normally be accessible to 3rd parties
  • Change anything on they page
  • Send any data they find back to the 3rd party (or any other party)

These ability could potentially be abused for any number of nefarious purposes such as stealing your data, redirecting your users, or tracking your users.

Here is a related article that goes into more detail: Jeremiah Grossman: Third-Party Web Widget Security FAQ

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
  • thanks Stephen for answer, however, I have checked that these third part widgets will be loaded in iframes with different domains and since the domains are different we normally cannot access the cross origin subframe DOM contents as per current browser designs to protect users from XSS attacks, can you comment on this, please also see https://stackoverflow.com/questions/6170925/get-dom-content-of-cross-domain-iframe – app Jan 24 '22 at 02:32
  • Cross domain iframes are MUCH safer than cross domain JavaScript. You describe it as putting `
    ...
    ` into your page, however if you are putting `     – Stephen Ostermiller Jan 24 '22 at 10:11
  • yes, I am loading them using as per https://weatherwidget.io/ website, could change that into iframe, however you load many such third party scripts ranging from google analytics, ads and other third party scripts so iframes are not always will suffice. Also found similar question https://stackoverflow.com/questions/33878372/does-including-all-these-3rd-party-javascript-files-impose-a-security-risk – app Jan 24 '22 at 10:39
  • It is very common to trust many 3rd parties, even with the security risks. – Stephen Ostermiller Jan 24 '22 at 10:41
-1

Cookies you can't copy because they work only for domain if u change domain the browser begin new cookies . Html and js it is very easy to copy the is few option to do this:

  1. httrack
  2. use view source and more option...
tsohar zigdon
  • 1
  • 1