Kingdom: Encapsulation
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
Hardcoded Domain in HTML
Abstract
Including a script from another domain means that the security of this web page is dependent on the security of the other domain.
Explanation
Including executable content from another web site is a risky proposition. It ties the security of your site to the security of the other site.
Example: Consider the following
If this tag appears on a web site other than
Example: Consider the following
script tag.
<script src="http://www.example.com/js/fancyWidget.js"></script>
If this tag appears on a web site other than
www.example.com, then the site is dependent upon www.example.com to serve up correct and non-malicious code. If attackers can compromise www.example.com, then they can alter the contents of fancyWidget.js to subvert the security of the site. They could, for example, add code to fancyWidget.js to steal a user's confidential data.desc.content.html.hardcoded_domain