Verifying and Researching Unknown JavaScript (JS)

  • Updated

Overview

After inserting the osano.js into the head of your website, Osano will automatically begin discovering and reporting the full URL of scripts attempting to load. These discoveries help ensure compliance and enable better management of third-party scripts. However, not all discovered elements are relevant or essential, and this document will guide you through handling them.

How Osano Discovers JavaScript

JavaScript scripts are detected when a script tag attempts to load another script (Example: Tag Managers) or when changes occur in the DOM. Osano continuously monitors these activities to discover the source of the scripts. However, due to this method, scripts created or injected by JavaScript from external sources, such as plugins or infected user browsers, may also be detected. While Osano filters out what it can, some external scripts may still appear in the discoveries.

 

Recommendations for Managing Discovered Scripts

When external or unknown scripts are detected, Osano offers several options for handling them:

  • Leave in 'Discovered' & Clear: In Osano, leave these scripts in the "Discovered" section and click "Publish," followed by "Clear & Publish." This action clears the Discovered section, and any one-off scripts that may have been erroneously captured will not be rediscovered.

    • Note: If a script reappears after a "Clear & Publish" (for example, within 24 hours), it likely exists somewhere on your website. At this point, you should research, blocklist, or ignore the script as needed.

  • Blocklist the Script: If the script is unnecessary or potentially harmful, you can blocklist it. This ensures that the script will not run again on your site, similar to categorizing other scripts.

  • Ignore the Script: By using the "Ignore" button (located next to "Save to Managed" in Osano), you can remove these scripts from the Discovered section and hide them from view.

 

Researching and Identifying Unknown Scripts

While Osano assists in the classification of scripts, there may be instances when a script remains unidentified. Below are steps you can take to identify these unknown elements:

 

Option 1: Use Search Engines or AI Tools

The easiest way to identify an unknown script is to use a search engine to look up the script URL or root domain.

For example, searching for the root domain of a script like snap.licdn.com would reveal that this script belongs to LinkedIn and functions as an ad pixel. Vendor documentation is often the most reliable source for understanding the purpose of a script.

Additionally, AI models like GitHub Copilot and ChatGPT can be useful for identifying known scripts and may even provide sources in their output.

 

Option 2: Investigate Your Website

If search engine results don’t yield sufficient information, you can investigate your site directly:

  • Open Developer Tools: Right-click on your site and select "Inspect" or "Developer Tools."
  • Check Scripts in Network Tab: In the Developer Tools window, navigate to the "Network" tab and isolate JavaScript files by filtering for JS or similar filters.

  • Review Loaded Scripts: As you navigate your site, you will see a list of scripts loading on each page. You can inspect the full script, the initiator, and the referrer for additional context, which may help with classification.

For example, a script might be tied to a specific vendor or third-party service, like a script from the hsappstatic.net domain that belongs to HubSpot.

This method may not identify every script, but it provides a good starting point for further research.

 

Additional Insights

Osano’s discovery process emphasizes the importance of maintaining control over what runs on your website. By regularly reviewing discovered scripts and employing the options mentioned above, you can prevent potential issues caused by unwanted scripts, whether from external sources or malicious injections.

By taking proactive steps to monitor, classify, and manage scripts effectively, you ensure a secure and compliant environment for your website’s users.