A few days ago I outlined that the Reuters website relies on 40 external parties with its security. What particularly struck me was the use of external code hosting services, e.g. loading the jQuery library directly from the jQuery website and GSAP library from cdnjs. It seems that in this particular case Reuters isn’t the one to blame — they don’t seem to include these scripts directly, it’s rather some of the other scripts they are using that are doing this.
Why would one use externally hosted libraries as opposed to just uploading them to your own server? I can imagine three possible reasons:
- Simplicity: No need to upload the script, you simply add a
<script>tag to your page and forget about it. Not that uploading the scripts to your webspace is an effort worth mentioning, especially compared to the effort actually developing the website.
- Performance: External code hosting typically uses a content distribution network with the claim to provide superior performance by being closer to the clients. However, whether there is really a performance advantage when using persistent connections (that’s the typical scenario these days) is doubtful to say the least.
- Scalability: your server no longer needs to serve the static files and has more reserves for something else. No longer much of an argument given modern websites, serving static files typically produces negligible CPU load compared to the page using these files.
On the other side there are clear disadvantages:
- Stability: With externally hosted code your website won’t just be down when your webserver is down, it will also be down whenever that external code hosting is down. And there will always be users who can reach your website but not your code hosting for some reasons — these will be able to visit your website but it will appear broken.
- Privacy: You are hopefully respecting the privacy of your users when they visit your website and don’t collect unnecessary data. But what about the code hosting service and their content delivery network? You now have two more parties that can collect data of your site visitors, do you have any idea what they are doing with that data?
- Security: You are betting the security of your website on the security of the external code hosting and their content delivery network. If either of them is compromised, they can do anything to your website. As mentioned in the previous blog post, you could suddenly discover propaganda messages on your website, or it could start distributing malware to your visitors.