I'm usually a fan of hosting all the files used in websites myself, under the same location with the website itself. When an image or JS file needs to be updated, no need to update it from a remote URL but just change the file hosted under the same website/FTP account.

However, this is not how things work the fastest. In order to speed up websites by distributing requests to multiple hosts and serving them from the fastest location to the end users, keeping stuff in CDNs (content delivery networks) is a very good and widely used solution.

Hack The Planet

The same logic goes for JavaScript frameworks. To speed up things, hundreds of thousands of websites use hosted JavaScript libraries. Actually, they all use a single hosted platform: Google Libraries API which is the focus of this discussion.

There is a serious speed and bandwidth gain in this structure as the JavaScript frameworks are cached in the user's computer and user won't re-download them each time when visiting a Google Libraries API-powered website.

Today, if we have used jQuery, MooTools, Dojo, Prototype, etc. while developing our websites (almost every website uses one of them -including many WordPress, Joomla, Drupal themes-), there is a high chance that we are calling these frameworks from Google Libraries API.

So, what happens if Google Libraries API gets hacked? 

To be more specific, what if the contents of https://ajax.googleapis.com/ajax/libs/jquery/ver.../jquery.min.js is changed?

It gets hacked and the jQuery (or MooTools, Dojo or Prototype) JavaScript file included in our websites now contain malicious code (that includes iframes or posts forms to another URLs, etc.)?

I simply can't think of the damage it can create.

Btw, I'm aware that Google Libraries API is built with very good intentions and it does the job perfectly (thanks to them) and sure that Google's CDN is probably one of the safest places on the web. But, this security concern is worth discussing considering the effect it can create and every datacenter>server>data can possibly be hacked.

So, is this structure totally wrong or benefits are worth the thread? What do you think (really wondering here)?

Credits: Hack The Planet visual.

WebResourcesDepot Feed