Crossorigin
The
crossorigin="anonymous"
attribute should always be added to external ressources so no user credentials are transmitted. By loading external files with a GET request, http user credentials are exchanged by default. If the source host is corrupted, an attacker could these details for attacks. <script src="https://www.google.com/adsense/domains/caf.js" type="text/javascript"></script>
[http://www.revolvy.com/index.php/(,).,..)/]<script src="https://img1.wsimg.com/parking-lander/static/js/2.fbe2b9f1.chunk.js"></script>
[http://www.revolvy.com/index.php/(,).,..)/]<script src="https://img1.wsimg.com/parking-lander/static/js/main.6f5dc497.chunk.js"></script>
[http://www.revolvy.com/index.php/(,).,..)/]
Integrity
The
integrity="sha256-..."
attribute should always be added to external file hosted on another domain, because an unexpected manipulation / corruption of the code can lead to session hijacking or similar script releated attacks. <script src="https://www.google.com/adsense/domains/caf.js" type="text/javascript"></script>
[http://www.revolvy.com/index.php/(,).,..)/]<script src="https://img1.wsimg.com/parking-lander/static/js/2.fbe2b9f1.chunk.js"></script>
[http://www.revolvy.com/index.php/(,).,..)/]<script src="https://img1.wsimg.com/parking-lander/static/js/main.6f5dc497.chunk.js"></script>
[http://www.revolvy.com/index.php/(,).,..)/]
Link Referrer
The
rel="noreferrer"
attribute should always be added to external links to prevent reverse tabnabbing for older browser, which do not support the rel="noopener"
attribute and to prevent phishing attacks. <a href="https://www.enable-javascript.com/" target="_blank">instructions how to enable JavaScript in your web browser</a>
[http://www.revolvy.com/index.php/(,).,..)/]
Link Opener
The
rel="noopener"
attribute should always be added to external links, which open in a new tab, to reduce the risk of reverse tabnabbing. Otherwise javascript on the new page has full control over the previous visited page, including permission to change the DOM object and possibly steal session cookies. <a href="https://www.enable-javascript.com/" target="_blank">instructions how to enable JavaScript in your web browser</a>
[http://www.revolvy.com/index.php/(,).,..)/]