• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Hosting Javascripts on a different domain

krelnik

Graduate Poster
krelnik
Joined
Jan 22, 2007
Messages
1,544
Location
Atlanta, Georgia
Did I miss a memo?

I've noticed that just in the last six months, several major websites have made the same change to the way their pages are structured. Each has moved their Javascript files from being hosted on the same domain as the page itself, to being hosted on a differently named domain.

Now, there is a well known trick of using different names for subcomponents of a page. For instance, www.example.com is where your HTML is hosted, then you put images on images.example.com and javascripts on scripts.example.com. This gets around a limit of two simultaneous TCP connections at a time that many browsers adhere to. That is not what I am talking about.

What I am talking about is hosting Javascripts specifically on an entirely different domain. Let me be specific. Just in the last six months:

youtube.com has moved its .JS files to ytimg.com
cnn.com has moved its .JS files to cdn.turner.com
weather.com has moved its .JS files to j.imwx.com

Whats odd about this is that they each have their own specifically registered domain for this purpose, and its not the domain of a content delivery network or other infrastructure provider. In fact, if you try to load the home page off most of those domains, they usually redirect back to the main domain of the company.

Now you are probably wondering, why does krelnik care about this? Well, you have to know that I am a security nerd, having worked at several computer security companies in the past. As a result, I have a deep abiding fear of the havoc that Javascript can wreak on your system. It is the primary vector for delivery of most malware at this time.

As a result, I follow the practice of whitelisting sites that I will allow Javascript (and other active content such as Java) to run on. As a result, to make a site like cnn.com work, I have to manually put *.cnn.com into a list. It's a pain in the behind, but I prefer it over the alternative.

When folks used things like scripts.cnn.com to get around the 2-connection limit, that worked fine, and all was well.

Now I have discovered that (as of 2008) this is not enough. Now I have to do View Source on a page I want to whitelist, and figure out what "secret" domain that site is using to store their Javascripts (and sometimes CSS) on.

Can anyone explain to me why all these sites started doing this?
 
Last edited:
I also noticed this on some other sites. Youtube has taken it a step further. A video at youtube.com .swf player comes from s.ytimg.com, but an embedded youtube video's code loads the .swf file from youtube.com.

Social bookmarking site Reddit temporarily had it's JS and CSS stored at amazonaws.com. Interesting, and it failed miserably. Now it has reddit.com for the main code, and JS and CSS coming from static.reddit.com and reallystatic.reddit.com (no, I don't know what they mean by static vs. really static).

I don't know why so many web admins are doing that, though. You may want to ask this to Giorgio Maone, creator of NoScript.

As an afterthought, cnn hosting it's JS on turner.com is not surprising. Turner is their main advertising partner. By doing this, they ensure that if you want CNN to work with all the bells and whistles, you must allow more leniency towards its ads, and something about Turner, and therefore Time Warner, observing how we use the website. It's probably something shady everywhere.
 
I don't know why they're doing it either. These are simply candidates for etc/hosts and the worst is google-analytics.com. I'm not through with analyzing the ~100kb Urchin JavaScript loaded by it (just right-click and look) but it's definitely nothing that i want to have executed by my browser.
 
Last edited:
Not only is there separately the google-analytics.com domain that google forces on you, but also googlesyndication.com as well. Google does lots of analysis on what you do on the web. I use CS Lite in firefox, and when I'm not actually using google, I've started the habit of denying it cookies, on top of denying cookies permanently for google-analytics and googlesyndication, and googleadservices.com.
 
Aerik said:
Social bookmarking site Reddit temporarily had it's JS and CSS stored at amazonaws.com. Interesting, and it failed miserably. Now it has reddit.com for the main code, and JS and CSS coming from static.reddit.com and reallystatic.reddit.com (no, I don't know what they mean by static vs. really static).
Click to expand...

Yes AmazonAWS.com is one I hadn't mentioned. AWS is Amazon Web Services, a hosting service. This is where Amazon (like Google) actually sells space on their huge infrastructure to third party apps.

Its actually a pretty attractive service. I've heard folks recommend putting your static content on Amazon as a good way to insulate a tiny site against occasional "Slashdotting". This is because many small sites run under agreements that have a monthly bandwidth cap, and Amazon has heavy infrastructure to handle bursty load.

As an afterthought, cnn hosting it's JS on turner.com is not surprising. Turner is their main advertising partner. By doing this, they ensure that if you want CNN to work with all the bells and whistles, you must allow more leniency towards its ads, and something about Turner, and therefore Time Warner, observing how we use the website. It's probably something shady everywhere.
Click to expand...

It's more than that, CNN and Turner really are the same company. (I live in Atlanta so I know some people that work there and drive by their offices regularly). "CDN" in that name almost certainly stands for "Content Delivery Network". A CDN is a web host that specializes in shoveling out huge amounts of static content. Akamai is a famous one that is used by big companies like Apple and Microsoft.

I like your theory that it is advertising related. One of the nice side effects of my whitelisting is many (but not all) of the more annoying ads don't load and ad-heavy pages load a bit faster. Perhaps some of these publishers noticed that people were blocking Javascript to get this effect, and decided to rig it so that the whole site would not work if you did that?

Seems somewhat plausible, but they still could have done that by putting the files on "ads.cnn.com". Seems odd they all made this same decision.
 
Last edited:
This might just be an effort to save costs, buy less machines, pay less IT folks to manage your infrastructure, and, if part of another company, consolidate all those functions into one shop.
 
Just as a note when we upgrade we will probably be using the option to have our javascript stuff served fro ma different domain, this is because Jelsoft have switched to using "Yahoo! User Interface Library (YUI)" for their AJAX stuff and that can be served direct from Yahoo - it's meant to save us bandwidth.
 
That's cool, Darat, and it should speed initial page loads because people's browsers will be more likely to have the JS files cached. Yahoo is so ubiquitous that I would think most people have it in their whitelists already. Let us know if it uses a domain other than *.yahoo.com, though!

Google recently announced a program where they are going to host some of the more common open-source AJAX (i.e. Javascript) libraries on their servers, for the same caching benefit. Everyone might as well put ajax.googleapis.com in their white lists right now.
 
The whitelist isn't hard to find on NoScript at all. I like noscript. I think having to whitelist things, rather than accept all be default, is the way to go when it comes to web security.

I also recommend an extension called Customize google, which can anonymize the google cookie UID and deny cookies being sent from google to googleanalytics.

@darat: the only thing I think is missing from NoScript right now is an override feature that denies all external scripts, much the way the web developer extension can toggle external cookies or external images on/off.

I also wish Firefox would adopt Opera's ability to block images with regular expressions. But I hate placeholders, and imglikeopera forces them on you, and pisses me off.

Two more extensions for web safety: stanford's "safehistory" and "safecache" extensions.
 
Last edited:
You must log in or register to reply here.

Back
Top Bottom