如果网页使用SSL（https），为什么我们不在CDN上使用JavaScript库？ [英] Why would we not use JavaScript library on a CDN if the webpage is using SSL (https)?

问题描述

对于jQuery或YUI3等JavaScript库，Google或Yahoo都在其CDN上托管脚本，并且 YUI 3 Cookbook段落 ：

For JavaScript libraries such as jQuery or YUI3, either Google or Yahoo are hosting the scripts on their CDN, and a YUI 3 Cookbook paragraph says:

也许你的网页使用SSL，在这种情况下加载远程资源是个坏主意，因为它暴露了用户的安全信息到远程
网站

perhaps your pages use SSL, in which case loading remote resources is a bad idea, as it exposes your users’ secure information to the remote site

我只能看到CDN网站必须得到很好的信任，否则恶意JavaScript可以在www.mycompany.com的网页上运行。但是假设CDN网站（谷歌和雅虎）很受信任，为什么SSL网页不希望将这些JavaScript库包含在CDN中 - 它如何将用户的安全信息暴露给远程站点，如预订？

I can only see that the CDN site must be well trusted, or else malicious JavaScript can be running on www.mycompany.com's webpages. But assuming the CDN sites (Google and Yahoo) are well trusted, why would an SSL webpage not want to include those JavaScript library on a CDN -- how can it "expose your users' secure information to the remote site" as described in the book?

推荐答案

通过SSL将外部Javascript库加载到加密的网页上可以被视为背叛了用户的信任，因为信息是用户提供给网站的理论上不再是他们与安全网站之间的关系。此外，如果外部图书馆受到损害，传递给网站本身的信息也可能会受到损害。

Loading external Javascript libraries via SSL onto an encrypted webpage can be seen as betraying a user's trust, as the information the user provides to the website is no longer, theoretically, between just them and the secure website. Furthermore, in the event of an external library becoming compromised, the information passed to the website itself could be compromised as well.

YUI3开发人员Ryan Grove详细阐述了详细信息此处。

Ryan Grove, a YUI3 developer, has elaborated upon this in detail here.

简而言之，

[...] 你让FooCo执行你想要的任何JavaScript网站。您正在通过SSL安全地加载JavaScript，因此浏览器不会显示任何可怕的警告，但现在您的用户不只是与buygadgets.example.com进行通信。现在他们也在与cdn.foolib.com进行通信，因为cdn.foolib.com可以在你的页面上运行JavaScript，他们也可以看到用户在这些页面上读取或输入的任何信息。

[...] you’re letting FooCo execute any JavaScript it wants on your website. You’re loading that JavaScript securely over SSL, so the browser isn’t displaying any scary warnings, but now your users aren’t just communicating with buygadgets.example.com. Now they’re also communicating with cdn.foolib.com, and since cdn.foolib.com can run JavaScript on your pages, they can also see any information the user reads or enters on those pages.

当然，您是否决定通过SSL提取外部可执行代码与安全性对您的特定用例的重要性有关，并且对此有不同的意见主题..

Of course, whether or not you decide to pull external executable code over SSL is relative to how important security is to your particular use case, and there are varying opinions on this subject..

这篇关于如果网页使用SSL（https），为什么我们不在CDN上使用JavaScript库？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！