I've got a marketing team that wants social sharing buttons (Facebook, G+, SU, and so forth) on our site. The security team brought up a point that I'm embarrassed to admit I hadn't really considered before: since 3rd-party JS is an attack vector, we shouldn't load it directly off the third party servers.
The risk
I'll use Facebook as the example. Someone at FB could add some sneaky backdoor code to watch users or at very least grab their email & name from our site. DNS cache poisoning could be used to serve malicious Javascript instead of the expected FB library. Etc - there are probably many more attack vectors here.
Possible solutions
-Host the JS locally (after vetting it for security holes), and run curl+diff on cron to watch for updates -- vetting those updates before hosting. This isn't really viable because FB and g+ both load additional libraries offsite after their primary lib is loaded, and I haven't found a way around that.
-Don't use social sharing buttons?
Is there an accepted best practice here? My first reaction is that, come on, this is Google and Facebook. If something malicious happens to their social sharing buttons, the entire Internet is going to know about it in 0.001 seconds. What say you?
There really isn't any generally accepted solution for this besides either: