Why XSS is Here to Stay

On the drive to work today, I started wondering what it would take to stop cross site scripting. Not from a website perspective - because god knows that’s such a huge task it would take forever to accomplish. But rather, what would happen if all the browsers, on the same day at the same time decided to shut off remote script includes? That would be great from a web application security perspective, but what exactly would break if that happened? A lot is the short answer, but here are a few things that make Fortune 500 type companies rely on it:

Analytics Yup, you can thank the likes of Google, Omniture and Hitbox for making JavaScript counters that do more than count, but also gather statistics that are only availible in JavaScript space. If remote JavaScript was turned off the only alternative would be to include some local proxy, to call the local dynamic page and proxy that information back to the analytics programs. Even huge companies would rather use their data warehouse only for auditing or spider analytics (which fly under the radar of JavaScript reporting systems) and use these JavaScript includes as the primary source for information about their site.

Contextual Banner ads Here you can thank the banner companies (Google and Overture primarily) for increasing the placement of dynamic banner ads all over the web. In doing so they have made a huge dependence on remote JavaScript for revenue generation (this site is no different).

AJAX Information super-highway 2.0, here we come! Tons of applications are starting to request off host XML files to include in their website. It’s the new way to deliver content without refreshing the page. If we got rid of it, what would happen? Well, we’d probably go back to refreshing the web-page, or using some other cross domain software, like Flash. I doubt anyone is giving up on this one any time in the near future.

Akamai I love Akamai in concept. Caching is a huge part of performance on big website design. If you can throw your static content, like images and, oh, JavaScript on remote hosts that cache that content for you, you can dramatically decrease load time and processor power. It’s sexy, and it’s here to stay. Too bad it forces me to allow JavaScript from everywhere if I want to see “Hello, RSnake” on the top of the websites I visit.

Page load and SEO Going hand in hand with Akamai is that big companies don’t want to include all the JavaScript on their page because it dramatically slows down the time it takes to render the page. The reason is because it is not cacheable if it’s a dynamic page (which large companies typically have a lot of). Also, if you are very bandwidth conscious and you have a ton of cookies you don’t want their browser sending those cookies over and over again (typically upstream is always slower than downstream too), so you are better off keeping the JavaScript off host so cookies aren’t sent in transit on every request. Additionally, spiders discount JavaScript in terms of SEO (search engine optimization). So keeping JavaScript on the page reduces the relevance of the content on your page.

All of those things together (and probably a lot of other things I haven’t thought of as well) make it pretty clear that there’s no way big companies are going to lobby the browser companies to shut off remote script sources. They want them. It’s good for business. It’s terrible from a security perspective, but there you have it. There are mitigating factors, sure, but the concept isn’t going away. And speaking from experience, you can’t surf without JavaScript turned on all the time. Tons of websites force it (thanks, Adsense and Orkut!) forcing their users into a lower state of security, regardless of their intentions. So we continue to fight the issues on the server instead.