Hacker News new | past | comments | ask | show | jobs | submit login

> It’s bad that Backblaze did not do their due diligence while integrating with Facebook pixel

Here's the thing though, being a third party, due diligence means you constantly have to check what they're doing.

Because otherwise how do you know when they suddenly change their script to do something entirely different?

This is why having any 3rd party scripts on a dashboard service like this is in my view entirely inexcusable.

When I go to visit my cloud-based dashboard for Acronis' backup service[1] there's one single domain involved, and that's how it should be.

[1]: https://www.acronis.com/en-us/products/true-image/




> Because otherwise how do you know when they suddenly change their script to do something entirely different?

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...


Not bad, but as far as I can see it requires you are _really_ sure no further scripts are dynamically loaded.

Or is there a way for the server to specify all resources must have SRI?


https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

You can combine CSP it with SRI hashes and also report violations to the backend.


Yes, by using CSP


Nice, at least it's possible.


Why would you allow third party scripts to be updated by anyone but you?

This trend of dynamically linking to other people's shit needs to stop.


If you're updating them then they're not 3rd party scripts.


> Because otherwise how do you know when they suddenly change their script to do something entirely different?

Even though it's inconvenient maybe we should treat it as just another 3rd party dependency that needs to be downloaded, screened, and then used from the internal store. Pretty dangerous to dynamically load a script from a site like facebook.com.


>Because otherwise how do you know when they suddenly change their script to do something entirely different?

(a) Sandbox it.

(b) Have them sign a contract they won't do so but only do these N things, and if change those without telling you, sue them.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: