| Main Archive Page > Month Archives > websecurity archives |
[WEB SECURITY] risks of hosting js files on CDN?
From: Joe White <joe_at_nospam>Date: Fri Nov 23 2007 - 19:11:06 GMT
To: websecurity@webappsec.org
Does anyone have any thoughts on security concerns for hosting js
files at a content delivery network (CDN) like Akamai or others?
The bugtraq thread below was very timely for me and I was hoping to get some other thoughts on this:
http://www.securityfocus.com/archive/1/484020/30/30/threaded
Clearly, I recognize the potential performance gains for offloading static client side files to CDN when the page weight is high due to rich user experience but isn't it also fair to say that this adds an unnecessary risk to the web application? I mean, think of the possibilities if the integrity of the js files are compromised. the compromised js files would then have complete access to the DOM of the respective site. also, think about the possibilities with AJAX. this seems like a *huge* unnecessary risk to me that is best avoided.
in terms of best practices, isn't it fair to say that offloading js files to a CDN is a bad idea?
any thoughts?
thanks,
joe
<<<>>>
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]