[tptacek]

This question is nonsensical. If you can't host a static file you are screwed no matter what. We can argue about how much of a risk Google CDN is (I don't think it's much of one), but it's not zero.

"Home rolled static file store"? Sheesh.

[pestaa]

No offense, but from my perspective you're getting a little rude here without really explaining the situation.

So far I grasped from you that external static files compromise the security model so much it's worth the time and effort to keep up to date with them locally and be okay if the page load times suffer (they do especially with minimalist sites.)

I understand the risk that Google CDN might be hacked and turned into a data mining monster, but it would, at the same time, infect so many important and popular sites on the whole web, I can't even imagine my sites being targeted.

[dekz]

    but it would, at the same time, infect so many important and popular sites on the whole web, I can't even imagine my sites being targeted.

Maybe, or maybe it's exploited to target only your site by detecting referrers and only serving your site malicious javascript. Thomas is correct in arguing to host your own.

[pestaa]

This implies I can do it better than Google or any other big-name-company CDN I happen to trust.

I don't know about you or Thomas, but this isn't true for me.

[tptacek]

You ignored the point I'm making. You don't have a choice but to do "static file hosting" securely.

[speleding]

Lots of sites use Google's CDN so it's very likely the file is already in your user's cache. That seems like a nice little speed bonus if the only trade off is the theoretical risk that Google's CDN might be more easily hacked than your own server.

As an aside, I notice on my site there are a few precent of visitors with security settings on their browser that prevent loading from Google's CDN (actually, there's usually an internet security product of some sort interfering). So you're going to have to provide a fallback to a file on your own server anyway.