Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMasterBlog > Content Protection

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Risks of Linking to Others' JavaScript Files

This is a story with scary realizations.

Mari and I have operated willmaster.com for, well, a long time. Over a decade. That's a lot of time for a lot of people to hotlink to our stuff.

There is one type of hotlink I want to warn you about because it is a security risk. And that is hotlinking to other people's JavaScript files.

Hotlinking to JavaScript Files Can Be Dangerous

Whether your hotlink is authorized or not, if you pull JavaScript from someone else's website you will be at their mercy. Consider the possible consequences if they are inept or get mad at you or experience a sadistic pleasure by making you dance or have any other reason to deliver JavaScript different than what you expect.

They might

  • put their ads on your web pages,
  • insert messages directly into your web page,
  • automatically redirect your visitor's browsers to adult websites or the CIA or to their own websites,
  • cause alert boxes to spawn,

perpetrate all manner of shenanigans.

Those can be annoying or even frightening.

In a moment, I'll tell you about some really dangerous stuff.

Using Hotlink ALARM to Prevent Hotlinking

I got to thinking about the possible consequences of hotlinking to JavaScript files on other people's websites when I was setting up our own hotlinking protection.

We're using Hotlink ALARM to prevent unauthorized hotlinking to JavaScript (and other) files. It doesn't actually prevent the hotlinking, but it does let you substitute other JavaScript, a replacement for what is hotlinked to.

While I was deciding what JavaScript code I would put on web pages of those who are hotlinking to our JavaScript files without authorization, I realized I could play havoc.

The more I thought about what could be done, the more alarmed I became. And I felt compelled to write this article to alert people to some of the dangers.

Possible Consequences of Hotlinking to JavaScript Files

In line with the purpose of this article, following are some dangerous things that can be done to you and your website visitors, not an exhaustive list but hopefully enough to make thinking about this a priority.

When you import JavaScript into your web pages from files or software on websites others control, they can

  • get counts of your traffic,
  • read cookies your website has set (including cookies with passwords, which you should of course never set),
  • obtain information about your visitors' habits,
  • know how many visitors are repeats,
  • know how long visitors stay on your web pages, and whether they scroll or just view above the fold,
  • remove the content of your web page and replace it with their own,
  • attempt to upload a virus to your visitor's computer,
  • find out where your visitiors came from,
  • find out which links your visitors click to leave your web page,
  • set their own cookies into your visitors' browsers,

perpetrate all manner of shenanigans.

If they know your IP address, they can send benign JavaScript when you load your web page and dangerous JavaScript when others do.

Think long and hard before inserting JavaScript into your web pages retrieved from a website you do not control.

The JavaScript Code Substitute I Decided Upon

I am not a vindictive person. My desire is to discourage hotlinking to willmaster.com JavaScript files — to discourage, not to punish.

As this article is being written, the replacement code being sent to web pages that hotlink to our JavaScript files without authorization is this: 

document.write('<div style="text-align:center; font-size:18pt; line-height:22px; font-weight:bold; color:black; background-color:yellow; padding:10px;">Please do not hotlink to willmaster.com JavaScript files. <span style="font-size:12pt; white-space:nowrap;">(detected by <a href="/library/php/the-new-hotlink-alarm.php"><span style="color:red; font-style:underline;">HotlinkALARM</span></a>)</span></div>');

That prints, in large text, " Please do not hotlink to willmaster.com JavaScript files. (detected by Hotlink ALARM) "

Before importing JavaScript from a domain you do not control, ask yourself, "Do I confidently trust the organization/entity and all of its employees?"

Will Bontrager

Was this blog post helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Blog articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

Recent Articles in the Library

Capitalizing the First Letter of Words

Here, find both PHP code and JavaScript code to capitalize the first letter of a word.

Fixed-position Table Header

During a vertical scroll, the table header scrolls out of view -- unless the header is fixed in position.

Simple Floating Menu

When not needed, the menu on the left side of a web page retracts to be out of the way. Tap it and it expands.

CSS Drop Shadows for Images

Images can be given drop shadows using pure CSS.

Ajax File Upload

Learn how to upload a file as soon as a file upload form field is given a file to upload.

Another Form Spam Prevention Technique

This technique should stop much or most of the form spam you are experiencing, perhaps even all of it.

Star Rating in a Form

A 5-star rating system for forms.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

Blog Article Categories

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC