|Main Archive Page > Month Archives > websecurity archives|
Joe White wrote:
> in terms of best practices, isn't it fair to say that offloading js
> files to a CDN is a bad idea?
So while my opinion is that 3rd-party js adds another attack vector and therefore should be avoided, if the third party is a domain under your control or specific to your site, then the added risk is close to negligible. Google analytics could be scary because compromising it would open up dozens of domains to XSS attacks, but your CDN or static content site being compromised or spoofed is probably no more likely than an active MITM.
Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]