Many online services provide “widgets” that one can place on a website to bring new functionality to site visitors. We recognize how attractive that is, and want you to be able to use every tool necessary to meet your organization’s goals.
But of course, we are also committed to keeping Soapbox secure for you.
Unfortunately, many widgets link to javascript on third-party servers, and this can pose a security risk.
Why is this risky? Because when you include third-party javascript in this way, you are essentially granting that script complete DOM access, and allowing it to run as trusted code. Put another way, When website A includes a JavaScript Web Widget from website B, website B receives essentially total access over a website A.
That alone sounds scary enough. But when you consider that many widgets come from untrusted sources, it becomes clear that this is a considerable risk. Additionally, even if the vendor of the javascript code does not have bad intentions, we must consider that when or if that third-party is compromised by a malicious outsider, then that entity has complete access.
Unless you can trust with certainty the third-party provider of the javascript, and can confirm that they have sound security policies in place, then linking their code presents risks that are larger than the usefulness of most widgets.
To address these risks yet allow the use of as many widgets as possible, we have engaged a policy that offers two solutions:
- We have a short list of trusted third-party entities whose Javascript code and security policies we have evaluated and deemed as satisfactory. Examples of vendors on this list are; Google Analytics, Twitter, Facebook, etc.
- If a vendor is not on our list of approved sources, then we will evaluate the code. If it appears acceptable, we will then attempt to take the javascript that is hosted on their server, copy it and host it on the Soapbox server.
Often, this works and the code will run as expected. However, sometimes the code won’t work on a server other than its home server. In which case, you may ask the vendor if they have a version of their code that will work on a remote server. Otherwise, the widget will not be allowed on your Soapbox site.
We do reserve the right to refuse to link to or host any third-party code at our discretion.