Ajax Girl

O’Reilly Radar comments on the dangers of remote scripting:

We at O’Reilly just got bit on perl.com, which redirected to a porn site courtesy a piece of remotely-included Javascript. One of our advertisers was using an ads system that required our pages to load Javascript from their site. It only took three things to turn perl.com into porn.com: (1) the advertiser’s domain lapsed, (2) the porn company bought it, (3) they replaced the Javascript that we were loading with a small chunk that redirected to the porn site (note that nothing on or about perl.com changed). Our first concern was that we’d been hacked and “run this remote Javascript” inserted from our servers without our knowledge, but that hadn’t happened—our change records and RT logs show we’ve had that Javascript and advertiser since May 2006.

There’s nothing especially new about this; the external Javascript model has always been in place, long before Ajax and widgets. Yet, with widgets taking off, more and more users and developers are cutting-and-pasting script tags into their web pages, pulling in code from a wide variety of providers, big and small. How well equipped are publishers to decide which is safe and which is not, and deal with situations like O’Reilly experienced, where someone takes over an expired domain?

Source: Ajaxian
Original Article: http://feeds.feedburner.com/~r/ajaxian/~3/219819767/dangers-of-remote-scripting