This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "3rd Party Javascript Management Cheat Sheet"
m (work in porogress) |
(→js request) |
||
| Line 25: | Line 25: | ||
== js request == | == js request == | ||
| − | + | a single line of js calls lots of other js from multiple vendors. The single line gets js from a tag aggregator or tag manager site (like Sentinel). The actual content of that js (what other js files it calls and what DOM objects it reads) can be dynamically changed using a graphical user interface that the marketing part of the business uses. This is the least secure because you can only see the code if you proxy the requests or if you get access to the GUI and see what is configured. | |
| − | |||
| − | + | ||
| + | = Standards = | ||
| + | |||
| + | The standard says 'the tag js can only access values in the data layer that the server creates on the page. The js can never access a URL parameter'. The data layer is either 1. a DIV object with attribute values that have the marketing or user behavior data that the 3rd party wants. or 2. a set of JSON objects with the same data. | ||
You have to agree with the 3rd party vendors what attribute in the data layer will have what value so they can create the js to read that value. | You have to agree with the 3rd party vendors what attribute in the data layer will have what value so they can create the js to read that value. | ||
Revision as of 21:51, 26 February 2016
|
Last revision (mm/dd/yy): 02/26/2016
IntroductionTODO 3rd Party JavaScript Deployment Architectures =TODO Vendor Javascript on pageThis is where the vendor sends you the js and you put it on your page. Server Directjs you write sends the data values to the vendor, or to a tag manager or tag aggregator site which then sends the data to vendors js requesta single line of js calls lots of other js from multiple vendors. The single line gets js from a tag aggregator or tag manager site (like Sentinel). The actual content of that js (what other js files it calls and what DOM objects it reads) can be dynamically changed using a graphical user interface that the marketing part of the business uses. This is the least secure because you can only see the code if you proxy the requests or if you get access to the GUI and see what is configured.
StandardsThe standard says 'the tag js can only access values in the data layer that the server creates on the page. The js can never access a URL parameter'. The data layer is either 1. a DIV object with attribute values that have the marketing or user behavior data that the 3rd party wants. or 2. a set of JSON objects with the same data. You have to agree with the 3rd party vendors what attribute in the data layer will have what value so they can create the js to read that value. Tag manager/aggregator sites that offer the GUI to configure the js may also implement technical controls such as only allowing the js to access the data layer values, no other DOM element. Letting the marketing folks decide where to get the data they want has resulted in XSS because they get it from a URL parameter and put it into a variable that is in a scriptable location on the page. Do it YourselfBringing this features all in house may not be feasible given the number of different 3rd (and 4th and 5th) party scripts used (sometimes more than 50) and the business functions they perform, and the speed with which the business needs to turn on, change and turn off various functions. Vendor AgreementsYou can have the agreement with the 3rd parties say that they have to implement and prove secure coding and general corporate security. Authors and Primary EditorsJim Weiler - [email protected] Other Cheatsheets |
