The problem with this widget is the majority of the widget contents are stuck in an iframe. The js code mostly just does time detection and places the iframe on the site.
So even if you can audit and fix the js code you're running, you're still including content served straight from someone else's machine.
When we did this similar thing for sopa blackout (https://github.com/sirpengi/sopablackout), our widget was entirely self-contained (and under 200 LOC). And if you didn't trust our server you could host it entirely yourself.
So even if you can audit and fix the js code you're running, you're still including content served straight from someone else's machine.
When we did this similar thing for sopa blackout (https://github.com/sirpengi/sopablackout), our widget was entirely self-contained (and under 200 LOC). And if you didn't trust our server you could host it entirely yourself.