Script CDN usage, privacy and costs

Question

If I link jQuery from google CDN with a script tag in an html page on a clients website what are the privacy implications of this?

What is the hidden cost using these CDN services? If the script is not cached by the browser and it loads the script from google what could google potentially do with the information? Could it be usefully extrapolated in conjunction with other services such as search, analytics or adsense? Nothing is free, what's the catch?

and bonus question....

If the script is cached by the browser already (304) does the browser still make a remote request?

Answer 1

A 304 is a response that is the result of a request. It's a request, which includes information about the last request it made and got a 200, from which the server either replies , 200 OK and here's the new stuff, or 304 Not Modified and ends it then and there (with a few HTTP headers for good measure).

Fact is, though, with the right configuration of the responses, the browser may not even make the request. I don't know the headers off the top of my head, so I did a google CDN request of jquery 1.7.2 just by navigating through the browser.

HTTP/1.1 304 Not Modified
Date: Wed, 11 Apr 2012 15:01:19 GMT
Expires: Thu, 11 Apr 2013 15:01:19 GMT
Age: 122140
Server: GFE/2.0

So, you can see it's set to expire after 1 year. I tried futzing with it as a source to a script in a local html editor/webpage page and, using Fiddler2, could see that no request was made. Now if I navigate through my browser again, I will get the same request, but not in my editor.

Privacy wise, I'm not sure that there's an issue. If something happens to the CDN, of course, there might be some problem, and of course there might be man in the middle attacks, etc, but if that's your concern, you should be using HTTPS anyway. CDNs also generally provide HTTPS as well.

The biggest drawback to reliance on a CDN is that due to network failures, your clients might not have access to the CDN. So it's always good to provide a backup.

Here's an example:

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<script type="text/javascript">
    if (typeof jQuery == 'undefined') {
        document.write(unescape('%3Cscript src="/local/path/to/jQuery/jquery.1.7.1.min.js" type="text/javascript"%3E%3C/script%3E'));
    }
</script>