When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and also trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfill, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
Please sign in to leave a comment.