• Google is Hosting Ajax Libraries

    Jun 2 2008

    You may have heard that Google is hosting a number of Ajax APIs, including jQuery, prototype, script.aculo.us, MooTools and dojo.

    Ajaxian actually has a good write-up of the benefits of this hosting. Long story short: Google's servers do caching and gzip compression as good or better than most of us know how to do, plus their web hosting is collocated and fast. On top of that, if we all were to get our sites to use the copy of jQuery on Google, our users will be more likely to have it cached before they ever visit our site.

    To get started with jQuery 1.2.6, for example, you could just use this script tag:

    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>

    For other libraries and library loading techniques, check out the documentation.

    All of this is really great, and I plan on using it on production sites in the future.. but can you spot the security hole this creates? How hard would it be for some disgruntled employee of Google to slip a few lines of evil JavaScript onto thousands (millions?) of web pages? Thankfully, Google's reputation is on the line as well, and I surely trust them to protect that!

  • Comments

    1. Binny V A at 10:45am on June 2, 2008

    There is another problem - Google gets the usage stats of your site. That makes it much easier for Google to track users across sites.

    2. Stefan at 6:52pm on June 2, 2008

    Binny V A, so what's the problem with Google getting usage statistics about our sites?
    We all use Google Analytics anyway...

    And I have the same argument on "how hard would it be for some disgruntled employee of Google to slip a few lines of evil JavaScript"... we already use  JavaScripts hosted on their servers when we insert the code they give us at Google Analytics in our pages, don't we?
    They might as well insert malefic js from there. But we trust them not to.

    3. Jesse Skinner at 7:14pm on June 2, 2008

    @Stefan - excellent point, though it doesn't make it any less of a security hole. But we all seem to take that risk quite easily (this site included).

    4. Binny V A at 11:17pm on June 2, 2008

    @Stefan,
    True - I myself use Analytics. But in case of Analytics, the users know that their user stats are collected by google. But in this case, its not that apparent.

    Basically it all depends on how much you trust google.

    5. Matt at 1:00am on June 5, 2008

    I don't think their caching or gzip compression is any better than what is available to Linux users. Where they have us is huge infrastructure.

    But otherwise great if you can put up with Google knowing all. That is up to the end user which a high percentage doesn't care.

    6. Andreas at 8:17pm on June 8, 2008

    Thanks for the Information, jquery is one of my fav js frameworks (behind prototype). but beware of spamblocker, sometimes google urls are blocked by default (in reasson of analytics).

    Andreas

    7. Baptista - Ttaxi at 2:29pm on July 4, 2008

    Hi there,

    I have a problem with a PHP booking form with used with mozilla http://www.ttaxi.pt/Booknow/bookingform.html.

    What recomendations can you give me, I think is something related with the css file????

    thanks

    8. lewis litanzios at 11:09pm on October 15, 2008

    you learn a new word every day: 'collocated' ;)

    Commenting is now closed. Come find me on Twitter.