Why do so many websites serve JavaScripts from ajax.googleapis.com and other third-party sites? Wouldn't it be securer for these sites to host these scripts themselves?
Asked
Active
Viewed 144 times
2 Answers
3
- Cost
Everything you load from someone else is one less thing you need to host yourself. The literal cost (and risk of downtime) of hosting may be small, if you're already hosting your own HTML etc, but we should also count as a complexity cost just having those files in your repositories or on your severs where developers are working. - Speed
This one is tricky. If the js in question is common (for example jQuery), then there's a decent chance the user already has a copy of it cached from when they were on a different site. Even if it's not, it's possible that the 3rd party host has a better CDN than you do, which might outweigh the delay of opening a connection from the user-client to an additional server. If this is the only motivation, then you'd really want to do tests of various user-situations, but in light of the above motivation most people don't bother. - Maintenance
Again, this could go either way. If you don't specify the version of the library in question, then your users will instantly and effortlessly benefit from any improvements to that library. On the other hand, there's a risk that the maintainer might introduce a breaking change. (Maintainers usually know better than to do that.)
Of course none of this addresses the question of security. I would assume that when people make these decisions, they either aren't thinking about security, or are consciously (and reasonably) accepting the security risks of adding a third party to their site's operation.
(+1 to zer0kompression for mentioning SRI.)
ShapeOfMatter
- 523
- 2
- 12