[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] adding a java script from a different domain

From: Iljun Kim <ij@xxxxxxxxxxxxx>
Subject: [WEB SECURITY] adding a java script from a different domain
Date: Thu, 27 Apr 2006 13:52:59 -0400

--WfZ7S8PLGjBY9Voh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

We are evaluating a web stat analyzer service that requires adding a
small java script file, hosted at the company that provides the
service, in our html template file .   It's similar to Google Analytics
<http://www.google.com/analytics/>.  It has very good reports, would
save a lot of administration time, and the cost seems very
attractive.  However, I'm not comfortable adding a java script hosted
in another domain, for example =20

  <script src=3D"http://www.exmple.com/example.js";
  type=3D"text/javascript"/>.

I don't really know the content of the "example.js" which currently
includes another URL that takes some values from the browser as input,
but it can also be changed anytime without my knowledge.  OTOH, I'm
not sure if I should concern.

Any opinions would be appreciated.=20

Thanks in advance.
--IJ













--WfZ7S8PLGjBY9Voh
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIIIkAYJKoZIhvcNAQcCoIIIgTCCCH0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BhQwggLNMIICNqADAgECAgMPNdcwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAj
BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA1MDcyNzIxMTk1NVoXDTA2MDcyNzIx
MTk1NVowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0GCSqGSIb3DQEJ
ARYQaWpAaW50ZXJuZXQyLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOOn
K9ZsdFkNPRLpnfPWAZ6+xjNFcv+RD2XIWpMm01P7NCBeVXTGVqQo3A41/5yiLcomKFu+WXKn
9pOqX4GdvCbARjJiZY/2kvYd9Ei2ZaQQ/9PrK58Wr0prrFvmYsre2N2qT5WtM474BxUClz1K
+65qO+rZAlkTmsM4KYOpFzlRP2TPAHHFAeCatkgfYUkS4eTzH5BSmuJJ/utPsLa4CbTRI2wj
3QAABPxwoaQyuIJqViIEHbIjuzKtZ7tBYvPNW4C2wfPZcJ5ddDxSHB/IMxFyHI+L8OcOeL/1
goTRbDmSLDTENWrEZQLmQ6KckfHxTsQyYbiqo/9VDYZeE4SznZECAwEAAaMtMCswGwYDVR0R
BBQwEoEQaWpAaW50ZXJuZXQyLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB
AIe0Fvc3MtLZgCx5hBLopMo3vI0nhryDAKHT0O5Jvwyp1udSJWeQ+Xz6NZQ6ByDF9g2UkK1g
nIxl5onk2p5vbhqYOVtvUqeZ4ReI4C1S+PvMkEdaNVWQT1pJSw3Mw1/6YQFCFxGqdH+fM3yK
0MWRtY/ofBoAHuq7sHsfil3Pxra5MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB
0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBU
b3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls
IENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAz
MDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7
TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuF
Wqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+n
ttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDww
OjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxD
QS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFi
ZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9M
Ibj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5
jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAkQwggJA
AgEBMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkp
IEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMP
NdcwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ
BTEPFw0wNjA0MjcxNzUyNTlaMCMGCSqGSIb3DQEJBDEWBBS9esqWvkgNG7eiiFsKVnePE8to
ljBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG
9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB+CvTS
wACRyKX2nhDwCT9R2BUkvyQiwHL204YmuMGwr1sn62BXqy4Y6frxwPxBTvbZF4LtKjftSPHq
Ox0PPhRk2dJNlaFFhVIrNQwksQ1xmqnhzdWF3uQDQvxK715PpixootquERAB9DsyoJicl6Bc
g/f2kFLhz3nT839/nYOPBYqFrHu8K+eBpQlQdk5CdUgVSJI1zDOPmrpd5huLhhNtKyQ6gfu9
I4hSSwH17zQJ/KbTRO8qUTl0UV2quEehjUlmzJhawfql0RFW70nc/aUwI2EU7RlmgdK58UJg
b5NUYx/DI5fW0ycX6ts4xRQiB9T7//Z0DahGraD+1H0Sq44i

--WfZ7S8PLGjBY9Voh--

Follow-Ups:
- Re: [WEB SECURITY] adding a java script from a different domain
  - From: Peter Conrad

Prev by Date: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by Date: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Previous by thread: [WEB SECURITY] RE: Java SQL/LDAP Injections
Next by thread: Re: [WEB SECURITY] adding a java script from a different domain
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site