The newest craze is widgets. Most of the time they advertise their services like
just put this one line in your web page and you can X where that one line is usually a script tag. Their advertisement is entirely correct: they can do X to your page (whatever X may be), but they can do many more:
- Steal cookies from your visitors (including session id)
- Execute a session fixation attack
- Execute a phising attack
- Execute actions on their behalf
- Steal passwords (with a technique recently discovered)
- And generally act as part of your website
What can you do if you are the publisher of widgets? The easiest migration path is to place them in a IFRAME and give your users the code to include the IFRAME instead of a script file. You will loose some possibilities (like to manipulate the elements directly on the page), however 95% of the things out there don’t need that. The more problematic thing is that you loose the ability to automatically resize your content. This can be partially mitigated by giving the user the ability to customize the generated IFRAME code by specifying width and height. Then again this raises problems with the zoom features present in the browsers. An alternative way (practiced partially by Feedburner for example) is to give you the code which serves up images. They can even be animated (if you use GIFs). It is a little harder to migrate to this solution, but it has the benefit or a larger potential audience (because while most forums disallow HTML or scripting in the signature, they do allow for images).
Finally, if you are a simple user, you can use the NoScript extension if you’re using Firefox or disable scripting for your Internet zone and add sites you trust manually in the trusted zone if you are using Internet Explorer. Neither solution is perfect, although the NoScript extension is definitely easier to use than zones in Internet Explorer, it’s not alway clear what domains you should enable to get the site functional. Also it seems to slow down the browser.