Well, any third-party script that you embed on your website can edit your site and do many other nefarious things (key logging, credential stealing, ...). I never got how people can just copy/paste some random JS into their own websites (often without even using integrity tags). Social embeds in particular have turned the web into a surveillance machine for large corporations, as every FB/Twitter/Instagram/... embed tracks users across every web property that has such an embed, and until very recently almost every major website had such embeds.
Luckily GDPR seems to have a chilling effect on recklessly embedding such stuff without thinking about privacy or security implications. Personally I hope that in a few years third-party embeds will mostly be a thing of the past.
We used to have this concept in software engineering, called
"coupling". Dependency or independence of each module greatly
determines the quality and reliability of the overall system.
Generally, too much coupling is bad. But you can also use
inappropriate coupling, where even a little is bad. This is an
example of inappropriate "external control coupling" (where js code is
being chenged remotely - am I wrong?) arising where light
data coupling (where data only is pulled in) is required.
The "web" has been going to hell in this way for a decade at least,
because it ceased to have boundaries. Without boundaries there cannot
be responsibility. Widespread introduction of JavaScript created a
quite different kind of technology from the WWW in which concepts of
client-browser and document-server made any sense.
Minus any reliability/security it can't be considered safe for
delivery of important materials now. If even the site owner can't
trust what you see on a site that's bad (though as people point out,
we've had this even since banner ads) But it's why I think the future
of critical "information services" (as opposed to e-commerce / social
media) is on something like Gemini.
You have to have some level of trust - our ASP.net website loads quite a few Nuget packages we regularly keep up to date. Theoretically any of them say Stripe or Paypal could add nefarious code into our site to steal a bunch of stuff - there's no practical way for us to review the source code before updating.
For Javascript if you're paranoid you can add the `integrity` attribute, and most of the time you can self host the JS although all of these come with maintenance commitments.
I think it's reasonable if you trust the source (Twitter for example) to embed their third party code.
The difference is that you have a contractual relationship with Stripe or Paypal when you use their services. When you embed FB/Twitter/... content there's no such relationship, that's the issue.
OK bad examples, but any open source project you use via a package manager in your projects you have to trust and there's no contract or relationship there.
Yes but bundling packages via npm is not an issue either, it's the fact that third-party embeds transfer personal data to the third party whenever a user visits the website, that is the central issue.
Luckily GDPR seems to have a chilling effect on recklessly embedding such stuff without thinking about privacy or security implications. Personally I hope that in a few years third-party embeds will mostly be a thing of the past.