Atkelar (atkelar) wrote,

WTF coding #2 - CDNs

Do you like shooting yourself into your foot? Of course the answer is likely "no!" but some people seem to like it... I can't explain why else someone would use "CDNs" for their scripts or stylesheets on the internet....

Here's my list of top reasons why you never, ever should use CDNs in your websites!

1.: It adds a level of dependency to your application/site. There is a number of reasons why you would not want that. First and foremost, if your customers can access your site through HTTP(s) than you know exactly ONE thing: they can access YOUR site. Chances are high that they cannot access whatever CDN you are using. Sure chances may be higher that they cannot access your site over the CDNs but still: probabilities multiply.

2.: No matter how good the reputation of your CDN is... it might end up on some blocked list. Either DNS or IP... again, if your clients can access your site but not the CDN... it's YOUR site that will look broken!

3.: PRIVACY! For gots sake, look up the specs of the HTTP(s) protocol! Whenever a browser requests some external resource (i.e. script, stylesheet, image,...) it sends alog an "origin information" called "referer header" (misspelled yes, it's a known "bug" in the specs) - that has the full page URL! It also sends along all cookies that the target (CDN) host ever has set on the client! In short: Google (and others) know exactly when your users browse what part of your webpage... and most of the time they even know who that user is - "one user for all the Google" ring a bell? And yes, that includes HTTPS traffic! Information disclosure to the max!

4.: It is "recommended by Google". Yeah. Because the folks at Google only have the best of your and your customers in mind and never ever would gain anything from it, right?

Why would anyone even want to do this? Because it's easy... and the CDN hosters "offer the good deed"... You can save a few kb in traffic on your site, yes... but at what cost?

Let's look at it from a different point of view: everybody and their grandmother is using jQuery by now... it's a decent library (even I have to admit that). But since everybody (almost) is using it from the CDN (the recommended way) Google now has a VERY nice way of tracking just about every browsing session that is out there. Am I the only one who's slightly creeped out by this?

Not that I'm into any conspiracy theory (other than loving movies about that subject) but it sure is starting to look like one. Please people: if YOUR site uses a library/stylesheet/image/whatever, HOST IT YOURSELF!
I'd like to see a feature added to browsers to just outright refuse loading any script/stylesheet/image that is referenced from a different domain/protocol and not send any referrer information for embedded media.

I'm looking for a way to get back control of my internet. Anybody know of plugins to get browsers to load well known content locally even if it's referenced with HTTPS?
Tags: techtalk, wtf
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded