W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2012

Re: [whatwg] Caching of identical files from different URLs using checksums

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 7 Jun 2012 22:10:57 +0000 (UTC)
To: Sven Neuhaus <sven.neuhaus@evision.de>
Message-ID: <Pine.LNX.4.64.1206072210010.378@ps20323.dreamhostps.com>
Cc: whatwg@lists.whatwg.org
On Fri, 17 Feb 2012, Sven Neuhaus wrote:
> Hello,
> 
> as of 2012, some websites are including popular javascript libraries from CDNs, like
> Google's. The benefits are:
> 
> * Traffic savings for the site operator because the javascript libraries are downloaded from
>   the CDN and not from the site that uses them
> * If enough sites refer to the same external file, the browser will cache the file and even if
>   it's a first visit, the (potentially large) javascript file will not have to be downloaded.
> 
> There are however some drawbacks to this approach:
> 
> * Security: The site operator is trusting an external site.  If the CDN serves a malicious file
>   it will directly lead to code execution in browsers under the domain settings of the site
>   including it (a form of cross site scripting).
> * Availability: The site depends on the CDN to be available. If the CDN is down the site may not
>   be available at all.
> * Privacy: The CDN will see requests for the file with HTTP referer headers for every visitor
>   of the site.
> * Extra DNS lookup if file is not already cached
> * Extra HTTP connection (can't use persistent connection because it's a different site) if file is not cached
> 
> I am proposing a solution that will solve all these problems, keep the 
> benefits and offers some extra advantages:
> 
> 1. The site stores a copy of the library file(s) on its own site.
> 2. The web page includes the library from the site itself instead of from the CDN
> 3. The script tag specifies a checksum calculated using a cryptographic hash function.

This kind of thing has been proposed a number of times. Unfortunately, 
each time it has not gotten traction from browser vendors. I recommend 
approaching browser vendors directly and encouraging them to implement 
a solution along these lines.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 June 2012 22:11:27 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:43 UTC