Why would we not use JavaScript library on a CDN if the webpage is using SSL (https)?

不打扰是莪最后的温柔 提交于 2019-12-13 13:37:57

问题


For JavaScript libraries such as jQuery or YUI3, either Google or Yahoo are hosting the scripts on their CDN, and a YUI 3 Cookbook paragraph says:

perhaps your pages use SSL, in which case loading remote resources is a bad idea, as it exposes your users’ secure information to the remote site

I can only see that the CDN site must be well trusted, or else malicious JavaScript can be running on www.mycompany.com's webpages. But assuming the CDN sites (Google and Yahoo) are well trusted, why would an SSL webpage not want to include those JavaScript library on a CDN -- how can it "expose your users' secure information to the remote site" as described in the book?


回答1:


Loading external Javascript libraries via SSL onto an encrypted webpage can be seen as betraying a user's trust, as the information the user provides to the website is no longer, theoretically, between just them and the secure website. Furthermore, in the event of an external library becoming compromised, the information passed to the website itself could be compromised as well.

Ryan Grove, a YUI3 developer, has elaborated upon this in detail here.

In short,

[...] you’re letting FooCo execute any JavaScript it wants on your website. You’re loading that JavaScript securely over SSL, so the browser isn’t displaying any scary warnings, but now your users aren’t just communicating with buygadgets.example.com. Now they’re also communicating with cdn.foolib.com, and since cdn.foolib.com can run JavaScript on your pages, they can also see any information the user reads or enters on those pages.

Of course, whether or not you decide to pull external executable code over SSL is relative to how important security is to your particular use case, and there are varying opinions on this subject..




回答2:


It depends if the CDN has a secure version of the resource you're requesting. Google seems to be better at this than Yahoo! from what I've seen.

You can use protocol-less references to CDN resources like below:

Works from http or https:

<script type="text/javascript"
    src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

Works from http only:

<link rel="stylesheet"
    type="text/css"
    href="//yui.yahooapis.com/3.8.0/build/cssreset/cssreset-min.css" />

You can also do conditional loading of scripts from a CDN and fall back to local versions:

<script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.8.14/jquery-ui.min.js">
</script>
<script>
    !window.jQuery.ui && document.write(            
    unescape('%3Cscript src="/scripts/jquery-ui-1.8.14.min.js"%3E%3C/script%3E'))
</script>



回答3:


It means the continent on your website is both from a secured server and from an insecure server. Furthermore it's possible to send data to a secured and unsecured server (cdn site). It really is a means to secure your site, if you are suing SSL then it stands to reason to serve all your resources with SSL as well.

Having said all this most CDNs can serve these resources through a SSL connection (including google).



来源:https://stackoverflow.com/questions/13979797/why-would-we-not-use-javascript-library-on-a-cdn-if-the-webpage-is-using-ssl-ht

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!