All geek questions in one place

Is it good to NOT use a public CDN to load Javascript libraries?

I have heard all cases of using CDN, for example, the Google API for hosting JavaScript libraries such as JQuery and Prototype for my web application.This is faster, saves bandwidth, allows parallel loading of scripts, etc. But I recently stumbled upon the following comment in a Douglas Crockford json2.js script:

USE YOUR OWN COPY. THIS IS EXTREMELY NOT REMOVING TO THE LOAD OF CODE FROM SERVERS WHICH YOU DO NOT MANAGE.

I am curious what his argument behind this statement is and is it specifically intended for users of publicly available CDNs such as Google or something else?

+6
source share
7 answers

Assuming he's talking about professionally hosted CDNs like Google, the best thing to do is:

<!-- Grab Google CDN jQuery, with a protocol relative URL; fall back to local if necessary --> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.js"></script> <script>window.jQuery || document.write("<script src='js/libs/jquery-1.5.1.min.js'>\x3C/script>")</script>

(taken from http://html5boilerplate.com/ )

Thus, you get all the benefits without the risk of hacking your site if the Google CDN goes down.

But he said:

USE YOUR OWN COPY. THIS IS EXTREMELY UNWISE TO LOAD CODE FROM SERVERS YOU DO NOT MANAGE.

Actually, I donโ€™t think he is talking about CDN. I think he simply said: "Do not script from arbitrary sites."

You will not want to do this because the website may change where the script is located, or even change the script. CDN would never do that.

+10
source

Basically, this is a matter of trust. You must trust the host so that nothing changes in the hosted file, and you need to trust the availability of the file. Can you be absolutely sure that the URL will not change? Are you comfortable with the fact that the downtime of their servers leads to the downtime of your application?

+2
source

The reason is that if the server you are hanging on goes down, and yours does not. Your siteโ€™s experience is suffering. There are ways to have a backup, so if jquery or some other script does not load, you can use the copy that you are hosting as a backup.

Another time, you should not use it in an Intranet application script, where bandwidth is usually not a problem.

John Galloway backup method: http://weblogs.asp.net/jgalloway/archive/2010/01/21/using-cdn-hosted-jquery-with-a-local-fall-back-copy.aspx

 <script type="text/javascript" src="http://ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js"></script> <script type="text/javascript"> if (typeof jQuery == 'undefined') { document.write(unescape("%3Cscript src='/Scripts/jquery-1.3.2.min.js' type='text/javascript'%3E%3C/script%3E")); } </script>
0
source

If the js public server is hacked (availability, security or error), visitors to your site will be affected and will probably blame you. On the other hand, what are the chances that the Google CDN will be compromised regarding the capabilities of a small server company? You also lose all the caching benefits that CDN gives you when you host locally.

0
source

While some of these other answers are certainly valid, we have a slightly different / additional reason.

We have a process that, at the first request, determines what static content is required for any page. In the background, this static content (js, css) is combined and converted into a single file (1 for JS, 1 for CSS), and then all future requests are served by one file instead of several.

Although we could theoretically exclude files that can be submitted to a CDN and use a CDN for them, itโ€™s actually easier (because we really need to add code to handle the exceptions), and in some cases faster than using a CDN.

0
source

jQuery is open source. If you made changes to the insides, then obviously you cannot remove another server. In general, posting other people's scripts is a security risk; they could change the script without even telling you, and now you link it to your pages.

This is a matter of trust; Do you believe that any CDN will be safe so as not to place a malicious script in the location of the script you need?

0
source

In addition to all other answers:

You want to worry about how to serve your pages via SSL (i.e. https), but your JS via direct http from another source. Browsers may complain (sometimes in an alarming way) about protected and unprotected items.

In addition, users browsing with the noscript extension (or similar) should allow JS to run from several different sources. Not such a big deal if you use the main CDN (however, at some point it was possible), but then you need to worry that they only allow some of your JSs.

0
source

Source: https://habr.com/ru/post/889703/

More articles:


All Articles