Hosting 3rd Party Files Scripts and Products

Ady Harold -

In order to ensure the security of your site and your users:-

  1. PracticeWEB do not allow the use of scripts hosted by 3rd parties.
    (The only exception to this rule is, common libraries served by Google & listed here:-https://developers.google.com/speed/libraries/ are allowed although there will be a charge for implementing these should you need to use them.)
  2. No one other than authorised PracticeWEB staff are allowed access to any of the servers.
  3. PracticeWEB offer a service to host 'static' content (html/images/pdf’s etc) on external servers, away from any other sites.

All these measures are to safeguard our Service Level Agreement and the security and integrity of our service offering for all our clients and their website users.

More detail relating to hosting scripts

In many instances adding scripts and codes to a site may seem trivial, but the Landscape product is used to run over 1000 sites and our clients demand a guarantee on the integrity of the product for all customers and users.  By allowing the implementation of third party scripts we would opening up the aspects of the site and aspects of users data to a third party that we have no control or oversight over.

The things to consider for this are:-

  1. Security - as the 'script' loads on the sites domain, its now got access to the document model. We take extensive measures to ensure all our code and scripts are tested to ensure the security of website users, this is something we could not compromise on.
  2. Maintainability - if the third party who host the script changes, or becomes insolvent it many take us considerable time to resolve the issue and there would be a significant charge relating to this investigation.
  3. Perceived Performance - when loading a script from an 'untrusted' server, the 3rd party could be overloaded/down, it could take valuable time to load adding to a perceived speed / quality drop for the users.

Security Implication

When scripts from a 3rd party domain is loaded many functions of the site and the security for the user can be compromised.  Your site runs in a “Sandbox” which protects the users from malicious scripts, when opening the site up to a third party script the “Sandbox” is no longer there. If the server hosting the script is compromised your site could be compromised, this means that whoever controls the third party can rewrite the page, or access any cookies and perhaps worse.

Further Reading

If you would like to read more on this please see http://en.wikipedia.org/wiki/Cross-site_scripting

Have more questions? Submit a request

Comments

Powered by Zendesk