What are the risks associated with Hosting 3rd party Javascripts?

Question

I'm a new developer at my company and I do mostly front-end web development. Our team is frequently asked by our Sales and Marketing people to incorporate 3rd party javascripts on our site.

"Here's a 'little code snippet'. Our vendor asked if you could put this in our home page"

This makes me very nervous.

I know these scripts can slow down our pages, and I've found in a number of cases I've had to surround some code with try/catch blocks to ensure that these 3rd party errors do not impact other scripts on the page.

These scripts come to me in a variety of forms ...

some are vendor supplied scripts that we host ...

<script src="http://www.mycompany.com/js/vendor-file.js" type="text/javascript">

... some are reference in our code, but hosted externally

<script src="http://www.vendor.com/js/file.js" type="text/javascript">

... and some are scripts are appear inline on our site, which insert tags into our head by writing to the DOM

var a = document.createElement("script"); a.type = "text/javascript" ... etc.

A lesser concern, but still important is cookie writing -- and exceeding the IE6's 20 cookie limit (yes, an important client base is still on IE6 and they represent real $$$) -- so we require (hope) that no javascripts hosted on our domain drops any additional cookies.

But, aside from the cookie issue -- what additional risks/scenarios/dangers exist that I need to know about or should be looking out for -- so I can keep our site and our customers happy.

Thanks

-Rich

Answer 1

No is a big word with a lot of power. Wield it well.

You are under NO obligation (barring legal and contractual agreements) to include any code snippets from sources you do not know and fully trust. If you are nervous, and you're responsible for the stability and security of your site, JUST SAY NO.

JavaScript can be a wild beast to tame. It's very easy for one small, seemingly innocuous script to bring the whole house crashing down. Never treat any simple script like its "just a silly little thing." All it takes is for one script to replace a key function that, say, JQuery, or AJAX, or some other library relies on, and your site will go down in a blaze of glory.