Scott “Red Shirt” Guthrie announced today that the jQuery and the Microsoft AJAX scripts would be hosted on the Microsoft content delivery network (CDN) – which should speed up the initial loading of these script libraries and save you bandwidth, as you won’t have to host them any more. Being an untrusting soul, errr, security person, I thought I’d take a quick look at how its delivered.

The scripts are hosted on which presents the first problem – it’s a domain. When you do any serious browsing to the normal sites you’re going to get a cookie, for example if you login to view things that require Live authentication, or you register for an event or even a session ID. On my machine I have seven cookies that are sent to any site and some of them look like tracking identifiers (the omniID for example is a GUID, then there’s MUID, a cookie called ANON and so on). There’s no way of knowing what these cookies actually do, but they will be sent with requests for the CDN based script libraries which, if Microsoft were so inclined, could be used to track users as they travel through various sites using the CDN. Of course google does the same thing, and has been doing it for longer. The google script for loading other scripts (yes I know) comes from, so the cookie that identifies your searches will be sent when you browse to a site that uses the google script CDN (adsense and google analytics scripts come from different domains, and so those identifying cookies won’t be sent). So there is a potential privacy problem here, if Microsoft were inclined to be evil.

A bigger problem arises if your site is a secure site. If you’re running your site on HTTPS then you’ll want to load your scripts from an HTTPS site to avoid the alerts that users will get about mixed security. The certificates on the CDN servers don’t match the domain – when I tried the certificate was issued to the underlying machine, so of course embedding the scripts won’t work due to this mismatch. Now yes, it’s beta, it’s very early beta, so one would hope the certificate problems would go away by release (or you simply don’t use the CDN if your site is a secure site, which is probably a better option – if your site is secure then it’s secure for a reason and you won’t want to load scripts from outside due to matters of trust – if the MS servers get owned, then, with json hijacking your app is in trouble, the same problem exists with the google hosted script libraries).

MS aren’t dropping cookies from the ajax CDN hosts and I’m not suggesting they’d be evil enough to aggregate requests for the ajax scripts with users of (and I doubt that would produce anything useful!) but I’d just feel happier if they didn’t accept them either, preferably by giving the CDN a domain name all of its very own.

Technorati Tags: