- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 7 Jun 2012 22:10:57 +0000 (UTC)
- To: Sven Neuhaus <sven.neuhaus@evision.de>
- Cc: whatwg@lists.whatwg.org
On Fri, 17 Feb 2012, Sven Neuhaus wrote: > Hello, > > as of 2012, some websites are including popular javascript libraries from CDNs, like > Google's. The benefits are: > > * Traffic savings for the site operator because the javascript libraries are downloaded from > the CDN and not from the site that uses them > * If enough sites refer to the same external file, the browser will cache the file and even if > it's a first visit, the (potentially large) javascript file will not have to be downloaded. > > There are however some drawbacks to this approach: > > * Security: The site operator is trusting an external site. If the CDN serves a malicious file > it will directly lead to code execution in browsers under the domain settings of the site > including it (a form of cross site scripting). > * Availability: The site depends on the CDN to be available. If the CDN is down the site may not > be available at all. > * Privacy: The CDN will see requests for the file with HTTP referer headers for every visitor > of the site. > * Extra DNS lookup if file is not already cached > * Extra HTTP connection (can't use persistent connection because it's a different site) if file is not cached > > I am proposing a solution that will solve all these problems, keep the > benefits and offers some extra advantages: > > 1. The site stores a copy of the library file(s) on its own site. > 2. The web page includes the library from the site itself instead of from the CDN > 3. The script tag specifies a checksum calculated using a cryptographic hash function. This kind of thing has been proposed a number of times. Unfortunately, each time it has not gotten traction from browser vendors. I recommend approaching browser vendors directly and encouraging them to implement a solution along these lines. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 June 2012 22:11:27 UTC