Geek Answers Handbook

Why don't we use the JavaScript library on the CDN if the webpage uses SSL (https)?

For JavaScript libraries such as jQuery or YUI3, Google or Yahoo place the scripts on their CDN, and the YUI 3 Cookbook paragraph

your pages may be using SSL, in which case loading remote resources is a bad idea as it provides your users with secure information to the remote site

I can only see that the CDN site must be well trusted, otherwise malicious JavaScript may be running on the web pages www.mycompany.com. But, believing that the CDN sites (Google and Yahoo) trust well why the SSL web page does not want to include this JavaScript library in the CDN - how can it β€œexpose your users' secure information to the remote site” as described in the reservation?

+3
source share
3 answers

Downloading external Javascript libraries via SSL to an encrypted web page can be seen as a betrayal of user trust, since the information that the user provides to the site is no longer theoretically between them and the protected site. In addition, in case of violation of the external library, the information transmitted to the website itself may also be compromised.

Ryan Grove, the developer of YUI3, dwell on this here in detail.

Shortly speaking,

[...] , allowing FooCo to execute any JavaScript that it wants on your site. You download this JavaScript securely over SSL, so the browser does not show any scary warnings, but now your users arent just chatting with buygadgets.example.com. Now theyre also talking to cdn.foolib.com, and since cdn.foolib.com can run JavaScript on your pages, they can also see any information that the user reads or accesses on these pages.

Of course, do you decide to pull the external executable code over SSL regarding how important security is for your particular use case, and there are different opinions on this issue ..

+2
source

It depends on whether the CDN has a secure version of the resource you are requesting. Google seems better than Yahoo! from what i saw.

You can use non-protocol links to CDN resources, as shown below:

Works with http or https:

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

Only works with http:

 <link rel="stylesheet" type="text/css" href="//yui.yahooapis.com/3.8.0/build/cssreset/cssreset-min.css" />

You can also conditionally load scripts from CDN and return to local versions:

 <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/jquery-ui.min.js"> </script> <script> !window.jQuery.ui && document.write( unescape('%3Cscript src="/scripts/jquery-ui-1.8.14.min.js"%3E%3C/script%3E')) </script>
+1
source

This means that the continent on your site is both from a secure server, and from an insecure server. In addition, you can send data to a secure and insecure server (cdn site). This is really a tool to ensure the security of your site, if you sue SSL, it is reasonable to serve all your resources using SSL.

Having said that, most CDNs can serve these resources over an SSL connection (including Google).

0
source

More articles:


All Articles