Skip to content Skip to sidebar Skip to footer
Home / Cdn / Javascript / Ssl / Yui3

Why Would We Not Use Javascript Library On A Cdn If The Webpage Is Using Ssl (https)?

Post a Comment
For JavaScript libraries such as jQuery or YUI3, either Google or Yahoo are hosting the scripts on their CDN, and a YUI 3 Cookbook paragraph says: perhaps your pages use SSL, in w

Solution 1:

Loading external Javascript libraries via SSL onto an encrypted webpage can be seen as betraying a user's trust, as the information the user provides to the website is no longer, theoretically, between just them and the secure website. Furthermore, in the event of an external library becoming compromised, the information passed to the website itself could be compromised as well.

Ryan Grove, a YUI3 developer, has elaborated upon this in detail here.

In short,

[...] you’re letting FooCo execute any JavaScript it wants on your website. You’re loading that JavaScript securely over SSL, so the browser isn’t displaying any scary warnings, but now your users aren’t just communicating with buygadgets.example.com. Now they’re also communicating with cdn.foolib.com, and since cdn.foolib.com can run JavaScript on your pages, they can also see any information the user reads or enters on those pages.

Of course, whether or not you decide to pull external executable code over SSL is relative to how important security is to your particular use case, and there are varying opinions on this subject..

Solution 2:

It depends if the CDN has a secure version of the resource you're requesting. Google seems to be better at this than Yahoo! from what I've seen.

You can use protocol-less references to CDN resources like below:

Works from http or https:

<scripttype="text/javascript"src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

Works from http only:

<link rel="stylesheet"type="text/css"
    href="//yui.yahooapis.com/3.8.0/build/cssreset/cssreset-min.css" />

You can also do conditional loading of scripts from a CDN and fall back to local versions:

<scriptsrc="//ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/jquery-ui.min.js"></script><script>
    !window.jQuery.ui && document.write(            
    unescape('%3Cscript src="/scripts/jquery-ui-1.8.14.min.js"%3E%3C/script%3E'))
</script>

Solution 3:

It means the continent on your website is both from a secured server and from an insecure server. Furthermore it's possible to send data to a secured and unsecured server (cdn site). It really is a means to secure your site, if you are suing SSL then it stands to reason to serve all your resources with SSL as well.

Having said all this most CDNs can serve these resources through a SSL connection (including google).

You may like these posts

Post a Comment for "Why Would We Not Use Javascript Library On A Cdn If The Webpage Is Using Ssl (https)?"