External Javascript *thoughts *security
Permalink
In one of the 5.7 themes I am using, I noticed this in the index.php view-source.
Novice question here... This is accessing external js over SSL/TLS for an IE browser issue, correct?
What are your thoughts on having external js in a website? Security and reliability issues from external 3rd party public sources? Can this be maliciously abused and affect my site?
As I thought about this topic a little more, I was wondering...
Does Concrete5 have any security policies for developers adding access to external code from public resources?
Does this get scanned during approval? Or on any updates?
Should the theme's page state that external resources are being accessed to function correctly?
I am not trying to imply any distrust on any developers, but I have to be accountable for all the links in the chain when I give it to my customer.
Thanks for any input.
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries --> <!-- WARNING: Respond.js doesn't work if you view the page via file:// --> <!--[if lt IE 9]> <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script> <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]-->
Novice question here... This is accessing external js over SSL/TLS for an IE browser issue, correct?
What are your thoughts on having external js in a website? Security and reliability issues from external 3rd party public sources? Can this be maliciously abused and affect my site?
As I thought about this topic a little more, I was wondering...
Does Concrete5 have any security policies for developers adding access to external code from public resources?
Does this get scanned during approval? Or on any updates?
Should the theme's page state that external resources are being accessed to function correctly?
I am not trying to imply any distrust on any developers, but I have to be accountable for all the links in the chain when I give it to my customer.
Thanks for any input.
Those scripts should actually start like this:
If you are concerned about using external CDNs (theory is the user might already have those resources cached in the browser), you can download them locally and override the theme.
At that point it would become a moot point.
John