Page 1 of 1
Security issue?
Posted: Fri Apr 20, 2007 2:14 am
by alex.barylski
I have a couple web sites all which are on shared hosts physically located (God knows where). Each of them share some common JS and I owuld like to centralize that JS and just reference each JS from another IP address or basically a shared host which does nothing butg deliver common code.
When a web page includes JS from an domain other than it's own, that doesn't flag errors, eh?
I mean, Google does it and so do countless others, so i can't see it being a problem or causing any XSS issues. XSS is typically reserved for javascript running on one domain manipulating the DOM of another or similar techniques correct?
Thanks a bunch

Re: Security issue?
Posted: Fri Apr 20, 2007 2:48 am
by Chris Corbyn
Hockey wrote:I have a couple web sites all which are on shared hosts physically located (God knows where). Each of them share some common JS and I owuld like to centralize that JS and just reference each JS from another IP address or basically a shared host which does nothing butg deliver common code.
When a web page includes JS from an domain other than it's own, that doesn't flag errors, eh?
I mean, Google does it and so do countless others, so i can't see it being a problem or causing any XSS issues. XSS is typically reserved for javascript running on one domain manipulating the DOM of another or similar techniques correct?
Thanks a bunch

There are no issues no. Adsense and things like that wouldn't work unless you could include remote scripts. The browser doesn't care, provided it can find the other domain. As for XSS issues you have the same risk as you do if you dispatch the code from the same server. All the server is doing is serving the files one direction.
EDIT | I'd probably set up subdomains within the domains that will use this repository so that you refer to scripts.yourdomain.com or something rather than someotherrandomdomain.com/scripts/
Posted: Fri Apr 20, 2007 6:03 am
by Kieran Huggins
while I like the subdomain suggestion, I still can't entirely see the benefit of centralizing your javascript to another server... Is it an app like adwords that you're trying to keep a single revision of?