Subscribe to
the Possibilities Ezine

Subscription Terms of Service
Privacy Policy

RSS feed links

Blog Article Categories

Automation

CGI

Content Protection

CSS

Debugging

HTML

JavaScript

Perl

PHP

Recommendations

Related Sites

Statistics

Web Development

Web Site Maintenance

Misc

Risks of Linking to Others' JavaScript Files

By Will Bontrager

This is a story with scary realizations.

Mari and I have operated willmaster.com for, well, a long time. Over a decade. That's a lot of time for a lot of people to hotlink to our stuff.

There is one type of hotlink I want to warn you about because it is a security risk. And that is hotlinking to other people's JavaScript files.

Hotlinking to JavaScript Files Can Be Dangerous

Whether your hotlink is authorized or not, if you pull JavaScript from someone else's web site you will be at their mercy. Consider the possible consequences if they are inept or get mad at you or experience a sadistic pleasure by making you dance or have any other reason to deliver JavaScript different than what you expect.

They might

• put their ads on your web pages,
• insert messages directly into your web page,
• automatically redirect your visitor's browsers to adult web sites or the CIA or to their own web sites,
• cause alert boxes to spawn,

perpetrate all manner of shenanigans.

Those can be annoying or even frightening.

In a moment, I'll tell you about some really dangerous stuff.

Using Hotlink ALARM to Prevent Hotlinking

I got to thinking about the possible consequences of hotlinking to JavaScript files on other people's web sites when I was setting up our own hotlinking protection.

We're using Hotlink ALARM to prevent unauthorized hotlinking to JavaScript (and other) files. It doesn't actually prevent the hotlinking, but it does let you substitute other JavaScript, a replacement for what is hotlinked to.

While I was deciding what JavaScript code I would put on web pages of those who are hotlinking to our JavaScript files without authorization, I realized I could play havoc.

The more I thought about what could be done, the more alarmed I became. And I felt compelled to write this article to alert people to some of the dangers.

Possible Consequences of Hotlinking to JavaScript Files

In line with the purpose of this article, following are some dangerous things that can be done to you and your web site visitors, not an exhaustive list but hopefully enough to make thinking about this a priority.

When you import JavaScript into your web pages from files or software on web sites others control, they can

• get counts of your traffic,
• read cookies your web site has set (including cookies with passwords, which you should of course never set),
• obtain information about your visitors' habits,
• know how many visitors are repeats,
• know how long visitors stay on your web pages, and whether they scroll or just view above the fold,
• remove the content of your web page and replace it with their own,
• attempt to upload a virus to your visitor's computer,
• find out where your visitiors came from,
• find out which links your visitors click to leave your web page,
• set their own cookies into your visitors' browsers,

perpetrate all manner of shenanigans.

If they know your IP address, they can send benign JavaScript when you load your web page and dangerous JavaScript when others do.

Think long and hard before inserting JavaScript into your web pages retrieved from a web site you do not control.

The JavaScript Code Substitute I Decided Upon

I am not a vindictive person. My desire is to discourage hotlinking to willmaster.com JavaScript files — to discourage, not to punish.

As this article is being written, the replacement code being sent to web pages that hotlink to our JavaScript files without authorization is this:

document.write('<div style="text-align:center; font-size:18pt; line-height:22px; font-weight:bold; color:black; background-color:yellow; padding:10px;">Please do not hotlink to willmaster.com JavaScript files. <span style="font-size:12pt; white-space:nowrap;">(detected by <a href="http://hotlinkalarm.com/"><span style="color:red; font-style:underline;">HotlinkALARM</span></a>)</span></div>');

That prints, in large text, " Please do not hotlink to willmaster.com JavaScript files. (detected by Hotlink ALARM) "

If you would like to see what we are currently using as a substitute, now that the time of writing this article is in the past, simply hotlink to one of our JavaScript files. Here's one you can use for testing:

<script type="text/javascript" language="JavaScript" src="http://www.willmaster.com/ClickWatch.js"> </script>

If the above doesn't work, if the src URL is a 404 for example (we're revamping willmaster.com and things will change), view the source code of this web page and find some JavaScript that retrieves code from an external file on willmaster.com. And use that for your test hotlinking.

Put the above in a temporary web page on your web site and you can see for yourself how well HotlinkALARM works.

January 31, 2008

Please note: Articles on this website are presented "as is". However -

If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.

© 1998-2001 William and Mari Bontrager
© 2001-2008 Bontrager Connection, LLC