Don’t Load Javascript off External Sites

Naill writes about Yahoo’s new javascript hosting platform:

Yahoo! is opening up the JavaScript powering its websites a bit more tonight, encouraging developers to directly reference libraries on its servers from within their webpages. Yahoo! User Interface Hosting opens up versioned access to the popular YUI Library, creating faster load times for sites across the web using Yahoo’s optimized, geo-distributed, and reliable data centers.

It’s a shame there’s no way to say:

“Load this content from my site but if you have content with this SHA1 hash loaded from another site go ahead and use that.”

This way you could do have the performance boost in a secure manner.

What would be even better is to have Firefox SHA1 the content before it sticks it into cache. This would be perfectly secure and since there’s lots of identical javascript in the wild the browser would see a speed boost. Someone implement that and FAST!

The problem with this approach though is that you’re basically giving Yahoo the right to add javascript to your site anytime they want.

While Yahoo the company wouldn’t do that themselves they’d be forced to with ah US PATRIOT act request. To add insult to injury they wouldn’t even be allowed to tell anyone they’re doing it.

And talk about a hacker honeypot! Get filesystem access to one of Yahoo’s servers and you can distribute javascript to thousands of websites across the world. Holy cross site scripting attack batman!


  1. I think that’s a bit paranoid. Don’t forget who the people consuming these javascripts are. They’re programmers. It wouldn’t take long for the dev community to discover stuff like this, and then Yahoo’s credibility in that field would be ruined. Even if the they were forced to be dishonest, once the truth got out the program would fall apart.






%d bloggers like this: