Coding with Jesse

Google is Hosting Ajax Libraries

June 2nd, 2008

You may have heard that Google is hosting a number of Ajax APIs, including jQuery, prototype, script.aculo.us, MooTools and dojo.

Ajaxian actually has a good write-up of the benefits of this hosting. Long story short: Google's servers do caching and gzip compression as good or better than most of us know how to do, plus their web hosting is collocated and fast. On top of that, if we all were to get our sites to use the copy of jQuery on Google, our users will be more likely to have it cached before they ever visit our site.

To get started with jQuery 1.2.6, for example, you could just use this script tag:

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>

For other libraries and library loading techniques, check out the documentation.

All of this is really great, and I plan on using it on production sites in the future.. but can you spot the security hole this creates? How hard would it be for some disgruntled employee of Google to slip a few lines of evil JavaScript onto thousands (millions?) of web pages? Thankfully, Google's reputation is on the line as well, and I surely trust them to protect that!


Interested in web development? Subscribe to my newsletter!

Comments

1 . Binny V A at 2008-06-02T14:45:44.000Z

Binny V A

There is another problem - Google gets the usage stats of your site. That makes it much easier for Google to track users across sites.

2 . Stefan at 2008-06-02T22:52:44.000Z

Stefan

Binny V A, so what's the problem with Google getting usage statistics about our sites?
We all use Google Analytics anyway...

And I have the same argument on "how hard would it be for some disgruntled employee of Google to slip a few lines of evil JavaScript"... we already use JavaScripts hosted on their servers when we insert the code they give us at Google Analytics in our pages, don't we?
They might as well insert malefic js from there. But we trust them not to.

3 . Jesse Skinner at 2008-06-02T23:14:37.000Z

Jesse Skinner

@Stefan - excellent point, though it doesn't make it any less of a security hole. But we all seem to take that risk quite easily (this site included).

4 . Binny V A at 2008-06-03T03:17:16.000Z

Binny V A

@Stefan,
True - I myself use Analytics. But in case of Analytics, the users know that their user stats are collected by google. But in this case, its not that apparent.

Basically it all depends on how much you trust google.

5 . Matt at 2008-06-05T05:00:22.000Z

Matt

I don't think their caching or gzip compression is any better than what is available to Linux users. Where they have us is huge infrastructure.

But otherwise great if you can put up with Google knowing all. That is up to the end user which a high percentage doesn't care.

6 . Andreas at 2008-06-09T00:17:44.000Z

Andreas

Thanks for the Information, jquery is one of my fav js frameworks (behind prototype). but beware of spamblocker, sometimes google urls are blocked by default (in reasson of analytics).

Andreas

7 . Baptista - Ttaxi at 2008-07-04T18:29:44.000Z

Baptista - Ttaxi

Hi there,

I have a problem with a PHP booking form with used with mozilla http://www.ttaxi.pt/Booknow/bookingform.html.

What recomendations can you give me, I think is something related with the css file????

thanks

8 . lewis litanzios at 2008-10-16T03:09:56.000Z

lewis litanzios

you learn a new word every day: 'collocated' ;)