Software, your way.
burger menu icon
WillMaster

WillMasterBlog > Content Protection

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Risks of Linking to Others' JavaScript Files

This is a story with scary realizations.

Mari and I have operated willmaster.com for, well, a long time. Over a decade. That's a lot of time for a lot of people to hotlink to our stuff.

There is one type of hotlink I want to warn you about because it is a security risk. And that is hotlinking to other people's JavaScript files.

Hotlinking to JavaScript Files Can Be Dangerous

Whether your hotlink is authorized or not, if you pull JavaScript from someone else's website you will be at their mercy. Consider the possible consequences if they are inept or get mad at you or experience a sadistic pleasure by making you dance or have any other reason to deliver JavaScript different than what you expect.

They might

  • put their ads on your web pages,
  • insert messages directly into your web page,
  • automatically redirect your visitor's browsers to adult websites or the CIA or to their own websites,
  • cause alert boxes to spawn,

perpetrate all manner of shenanigans.

Those can be annoying or even frightening.

In a moment, I'll tell you about some really dangerous stuff.

Using Hotlink ALARM to Prevent Hotlinking

I got to thinking about the possible consequences of hotlinking to JavaScript files on other people's websites when I was setting up our own hotlinking protection.

We're using Hotlink ALARM to prevent unauthorized hotlinking to JavaScript (and other) files. It doesn't actually prevent the hotlinking, but it does let you substitute other JavaScript, a replacement for what is hotlinked to.

While I was deciding what JavaScript code I would put on web pages of those who are hotlinking to our JavaScript files without authorization, I realized I could play havoc.

The more I thought about what could be done, the more alarmed I became. And I felt compelled to write this article to alert people to some of the dangers.

Possible Consequences of Hotlinking to JavaScript Files

In line with the purpose of this article, following are some dangerous things that can be done to you and your website visitors, not an exhaustive list but hopefully enough to make thinking about this a priority.

When you import JavaScript into your web pages from files or software on websites others control, they can

  • get counts of your traffic,
  • read cookies your website has set (including cookies with passwords, which you should of course never set),
  • obtain information about your visitors' habits,
  • know how many visitors are repeats,
  • know how long visitors stay on your web pages, and whether they scroll or just view above the fold,
  • remove the content of your web page and replace it with their own,
  • attempt to upload a virus to your visitor's computer,
  • find out where your visitiors came from,
  • find out which links your visitors click to leave your web page,
  • set their own cookies into your visitors' browsers,

perpetrate all manner of shenanigans.

If they know your IP address, they can send benign JavaScript when you load your web page and dangerous JavaScript when others do.

Think long and hard before inserting JavaScript into your web pages retrieved from a website you do not control.

The JavaScript Code Substitute I Decided Upon

I am not a vindictive person. My desire is to discourage hotlinking to willmaster.com JavaScript files — to discourage, not to punish.

As this article is being written, the replacement code being sent to web pages that hotlink to our JavaScript files without authorization is this:

document.write('<div style="text-align:center; font-size:18pt; line-height:22px; font-weight:bold; color:black; background-color:yellow; padding:10px;">Please do not hotlink to willmaster.com JavaScript files. <span style="font-size:12pt; white-space:nowrap;">(detected by <a href="/library/php/the-new-hotlink-alarm.php"><span style="color:red; font-style:underline;">HotlinkALARM</span></a>)</span></div>');

That prints, in large text, " Please do not hotlink to willmaster.com JavaScript files. (detected by Hotlink ALARM) "

Before importing JavaScript from a domain you do not control, ask yourself, "Do I confidently trust the organization/entity and all of its employees?"

Will Bontrager

Was this blog post helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method


All information in WillMaster Blog articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

Recent Articles in the Library

Extracting Dates From the Unix Timestamp

The UNIX timestamp can be used to determine the represented time for any time zone on Earth.

Submit Form Data Without Bothering User

To silently and effectively submit a form on a web page, Ajax with FormData() can be used.

CSS Dots

CSS dots can be used for interactions between web page and website user.

Email Testing

One thing to test when email doesn't get sent or doesn't arrive is whether the server actuall sends email.

Tap to Select

Find out how to make a link or button to select the content in a div or other HTML element.

Capitalizing the First Letter of Words

Here, find both PHP code and JavaScript code to capitalize the first letter of a word.

Fixed-position Table Header

During a vertical scroll, the table header scrolls out of view -- unless the header is fixed in position.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC