Re: [w3ctag/design-reviews] Prefetch request changes to improve privacy (#398) from Fred K. Schott on 2019-08-10 (public-webapps-github@w3.org from August 2019)

From: Fred K. Schott <notifications@github.com>
Date: Fri, 09 Aug 2019 20:14:23 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/398/520113272@github.com>

*Context: I was asked to comment here by @kenchris. I created and operate https://pika.dev/cdn.*

How are cross-origin CDNs considered in this change? My understanding is that this suggested change would kill the cache efficiency story of cross-origin CDNs, which is extremely troubling.

The ability to cache resources across domains is a huge benefit to using cross-origin CDNs at scale. The more use that they get, the more likely cache hits are, and the faster those websites become (potentially faster than if they'd served their own JS). Two examples:

**1. "This month, July 2019, cdnjs served almost 190 billion requests ... Lodash (4.17.11) skyrocketed to the top of the list this month with 8.7 billion requests."[[1]](https://github.com/cdnjs/cf-stats/blob/master/2019/cdnjs_July_2019.md)**
I imagine the cache efficiency lost due to this change for this CDN alone (jQuery, lodash, etc) will be massive.

**2. "Approximately 100% of the Fortune 500 already use npm to acquire approximately 97% of their JavaScript code." [[2]](https://blog.npmjs.org/post/182958759735/managing-javascript-in-the-enterprise)**
Pika is creating a CDN for modern npm packages that can run in the browser. The project is only a few months old today, but with ESM it becomes feasible for sites to load their npm dependencies from our CDN (or UNPKG, or another cross-origin CDN like it) in production. Basically, cdnjs for npm. In that world, every npm package would only be loaded once across all participating sites, and would then be cached and reused on future visits. Imagine if most sites never had to load React, ReactDOM, Preact, Vue, the 100 most popular npm packages, etc.

Obviously security is a huge concern, and I completely understand and appreciate the work being done here. But as others have pointed out the perceived threat (cached file detection) doesn't outweight the serious performance hit for CDNs.

As we moved towards bundling all of our JavaScript into custom site bundles over the last decade, cross-origin CDNs have gone out of fashion. But they clearly are still heavily used today (see cdnjs stats above), and we see them playing a big part in the future of the web once ESM becomes standard... *as long as the current performance story isn't destroyed.*

tldr: https://twitter.com/rektide/status/1156261839623401472

(PS: Please add that single explainer doc! I read through the different threads but there's a chance I could have misunderstood/missed something, in which case please let me know!).

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/398#issuecomment-520113272

Received on Saturday, 10 August 2019 03:14:46 UTC