Resynth

JavaScript CDN's: are they a good idea?

On the 15th of June, I wrote a thread on my Mastodon account:

Trusting third parties to host JavaScript and CSS is actually rather silly. Also, seeing as one JS CDN in particular is behind Cloudflare, it is quite a big attack hole.


For one, Cloudflare censors people, depending on their country. Using this means you're trusting two third parties: Cloudflare and the CDN provider.


So a MITM attack is quite possible here.


If you do it the sensible thing and host it on your own server, YOU choose who you deliver that content to.

Also, you have just removed a huge attack vector from your site.


Giving a random third party access to script execution on your website means they can really run anything if they want to.

I also find it quite scary that a large partition of the web relies on these CDNs. Let's stop, and decentralize it by not using them.


Centralization is not the answer, it's their answer. Just because it's the new flashy toy, it doesn't mean you have to follow it.


I'd like to expand on that concept, and clarify a few misconceptions.

First off, while snazzy caching features could theoretically make your website load quicker...

There can be times when a CDN goes down, as evidence by the recent Cloudflare outage. This can be especially problematic when your site relies on said JavaScript files to function.

One of the main reasons of using a CDN is cookies.

When a server responds to a request, it normally sends down a Cookie header. Then, when the browser makes another response to the server, the same Cookie header is sent. This is particularly useful for exchanging data between the client and the server.

Cookies sound great!

But there's a problem...

Let's say example.com's server sets a cookie. On every request, the browser has to send this. This will, of course, create a delay, where the browser has to search the cache or read from your much slower hard drive.

That's why some companies have two domains: their main domain (example.com), and a separate hostname for assets: exampleimg.com.

There is a quick solution to this, though: if you use www.example.com, the cookies stored in that scope won't be accessible by static.example.com. This would make the request size much smaller, and faster.

Honestly, there's a lot more reasons to use a CDN.

Balance out the facts, and decide what's best for you.

resynth1943.article