[dspillett]

> I do not want the world to conform to me, I just conform selectively.

A healthy attitude.

> I know the consequences of being a NoJS surfer, I just live with it, and don't complain.

I'm a bit more open with JS, though I've completely blocked flash for years. Any site that doesn't work just, well, doesn't work - I can always try others.

> And here I try to make some criticism of the posted work, and constructively.

I may have misread your short message as being much more "snarky" than you intended, in which case I apologise for my knee jerking in reaction.

> I think the JS CDNs are the most stupid things on the world. Hack one CDN, and you'll get to run your code on maybe millions of websites

Good point, and why I use local copies instead of CDNs myself. That and I prefer not to rely on an external resource unless I have to - it is an extra possible point of failure. The extra bandwidth use is insignificant from a hosting point of view and if you have caching directives set properly it'll only affect your users on first access (and you can often minimise that effect with careful lazy loading). But CDNs are an unavoidable consideration because every other man/woman/other and their dog seem to disagree.

> And who decides which CDNs are major, and/or better or more secure?

A thorny point. I would only include official locations of significant projects like code.jquery.com rather than anything more generic. I wouldn't even exclude ajax.googleapis.com from the "nothing generic" rule.

[gkya]

Happy we mostly agree. Should've been more elaborate, sorry. I sometimes trade off elaboration for brevity and/or laconicism, which causes misunderstandings and off-topic threads.

With regards to CDN, I guess the best option is to have a "standard library" for web, where the browsers provide a standard selection of javascript libraries, jquery, react (I really don't know what this last one is) and the like, and bootstrap and stuff, so that these need not be downloaded, and we can be sure that our copies are mostly secure (audited, tested) and that there's no real single point of failure.

There's still a who decides problem with this approach, but at least I won't be able to steal millions of session cookies should I manage to tamper a single JS file on some domain. Tho I'm not a security person, so it's possible that I'm telling useless crap.

[dspillett]

No, that is definitely a valid security concern if copies of code on CDNs are compromised. Though once you have code injected into something like that you can pretty directly do worse than take session cookies.

One possibility would be to have everything signed and include the fingerprint with the <script> tag. That way you could safely read jquery.version.js from anywhere and be as sure it is the real thing as if you'd picked it up from jquery.com. That would in fact remove the need for a CDN - one that copy has been ready from my site and verified there would be no need to read it from your site, so every site that uses the signed version essentially becomes part of a global communal CDN. Of course then you have the hassle of certificate management (how do I trust the signature on that file?). The current infrastructure used for SSL certificates, for all its faults, would suffice, but getting library maintainers to use it might be a struggle.

On further thought: in fact a digital signature may not be needed. Just a hash (and not even a salted one) using a sufficiently provably secure function may be adequate, as already provided by many download sites for verifying the absence of transmission errors, removing the need for any signature/certificate jiggery pokery.