[whatwg] Caching of identical files from different URLs using checksums

Ian Hickson ian at hixie.ch
Thu Jun 7 15:10:57 PDT 2012 

On Fri, 17 Feb 2012, Sven Neuhaus wrote:
> Hello,
> 
> as of 2012, some websites are including popular javascript libraries from CDNs, like
> Google's. The benefits are:
> 
> * Traffic savings for the site operator because the javascript libraries are downloaded from
>   the CDN and not from the site that uses them
> * If enough sites refer to the same external file, the browser will cache the file and even if
>   it's a first visit, the (potentially large) javascript file will not have to be downloaded.
> 
> There are however some drawbacks to this approach:
> 
> * Security: The site operator is trusting an external site.  If the CDN serves a malicious file
>   it will directly lead to code execution in browsers under the domain settings of the site
>   including it (a form of cross site scripting).
> * Availability: The site depends on the CDN to be available. If the CDN is down the site may not
>   be available at all.
> * Privacy: The CDN will see requests for the file with HTTP referer headers for every visitor
>   of the site.
> * Extra DNS lookup if file is not already cached
> * Extra HTTP connection (can't use persistent connection because it's a different site) if file is not cached
> 
> I am proposing a solution that will solve all these problems, keep the 
> benefits and offers some extra advantages:
> 
> 1. The site stores a copy of the library file(s) on its own site.
> 2. The web page includes the library from the site itself instead of from the CDN
> 3. The script tag specifies a checksum calculated using a cryptographic hash function.

This kind of thing has been proposed a number of times. Unfortunately, 
each time it has not gotten traction from browser vendors. I recommend 
approaching browser vendors directly and encouraging them to implement 
a solution along these lines.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list