Journal Sloppy's Journal: The ad business REALLY sucks 2
It's bad enough when you're actually serving the data from your own site but it's in some form where you can't audit it. That's one of the many reasons I hate Flash.
But even Javascript sucks, when you <script src="someothersite">. The moment you do that, you know that all sorts of horrible things can go wrong. You just have to have faith. Faith is what it comes down to. And it can be justified, I guess, because you can get away with it for years.
Until this morning when our webpage was only showing for a second and then the whole thing would then redirect to someone else's site. Adios, visitors.
(What actually happened: the domain we were including from, apparently expired and now any http request goes to a Network Solutions page, instead of returning a DNS error like it should. Fuck you, Network Solutions, as if we didn't already know you're evil and dangerous. But the same risk remains even if someone's domain doesn't expire; they can always serve a different script today than they did yesterday, and that script can do anything with the DOM that it wants to. There's no way to sandbox it.)
It's "standard practices" to include external scripts. Everyone does it. The ad people aren't techies; if I were to tell them, "uh, we don't want to include any external scripts that might change from load-to-load, and we also don't want to include any Flash crap unless we've compiled it from readable, auditable source ourselves," they would think I'm crazy. You know, one of those open source fanatics. They would say, "Gee, that's a shame you don't want the money," and go on sending the same dangerous ads to our competitors while we collect nothing.
Is it really an unreasonable weirdo religious fanatic position, to just want to be able to make sure that stuff will work and not do anything crazy? I don't think so. The fucking "standard practices" need to change, but how can one person do that? *sigh* I feel so powerless.
Be a shame (Score:1)
if "tight@hotmail.com" bought an ad on your company site and redirected your visitors to goatse or worse your competitors though a js enabled flash ad.
Good point (Score:2)
That's a really good point. I need to add that to the web application security [docforge.com] wiki page I put together.
Any time a client of mine wants external sources of content or JS (ads, maps, etc.) I always point out the weaknesses. But there are some serious security implications. Using Google APIs often makes people feel too comfortable and forget the risks.