In order to build an Atlassian Connect app, I need to embed a third-party JavaScript file in the pages rendered by my app (all.js
).
Embedding third-party JavaScript is known to be risky business, I need to trust the vendor to not include any malicious code that’s trying to grab information from my app it’s not supposed to access.
OWASP acknowledged this as a major risk and they recommend counter-measures to avoid some of the common risks.
As far as I see, I don’t have a lot of options to securely embed Atlassian’s JavaScript. Subresource Integrity checks don’t seem to be available and the custom cross-domain JavaScript bridging handshake that happens before embedding my content in an iframe make it impossible to further isolate all.js
in another iframe sandbox.
Any ideas how I can be on the safe site when including all.js
in any of my pages without risking leaking information because of malicious code that could potentially be contained in all.js
?