
Hotlinking to jquery.com will be disabled on January 31, 2011 - Uncle_Sam
http://blog.jquery.com/2010/12/30/hotlinking-to-be-disabled-on-jan-31-2011/
======
ajpiano
We did a lot of analysis of the sites that were actually hotlinking, and are
planning to reach out to those that are above board and should know better. By
and large, however, most of the sites that were hotlinking were
porn/phishing/generally nefarious, which weighed heavily into our decision to
pull the plug relatively soon. Serving people who need jQuery and jQuery UI
documentation, etc., is a higher priority than not-pulling-the-rug-out-from-
under networks of porn sites - people who have more than adequate access to
their own hosting and distribution resources.

~~~
ajpiano
OTOH, TaylorSwift.com was also hotlinking, which is pretty awesome.

~~~
slexaxton
I am currently trying to talk to Taylor about sharing cdn resources.

If anyone is not aware, one of the best CDNs out there for getting jQuery is
the Taylor Swift "TaylorNation" cdn.

[http://cdn.thetaylornation.com/taylornation/resources/displa...](http://cdn.thetaylornation.com/taylornation/resources/display/js/jquery/jquery-1.4.2.min.js)

I encourage everyone to use it.

~~~
catshirt
slexaxton imma let you finish... but amazon has one of the best cdns of all
time

------
DanHulton
I like the one comment about serving up evil.js to hotlinkers instead
([https://github.com/kitgoncharov/evil.js/blob/gh-
pages/evil.j...](https://github.com/kitgoncharov/evil.js/blob/gh-
pages/evil.js)).

How have I never heard about this hilarious script before?

~~~
BCM43
For those of us who do not know javascript (a rarity on HN, I know) could you
explain what it does?

~~~
jerf
It does... many things. All sort calls are hardcoded to return [4, 8, 15, 16,
23, 42], regardless of input. It scrambles the log bases for the math
logarithm commands, it hardcodes the output of the upper-casing string call to
a constant, and what I've reported is just a sampler. It is very well-named.

Could be improved a bit, though. Many of its entries lack subtlety. If you
really want to be _evil_ , make uppercase do something like uppercase all but
_one_ letter, or "uppercase" the digit 1 into exclamation marks, 2 into at
signs, etc., convincing the poor developer that the JS upper case function is
broken and affect digits. ("Must be unicode or something.")

~~~
rhizome
How would this not start a backlash of "JQuery (or whatever) is broken."? If
the only indication is that a hotlinked .js suddenly stops working, what
exactly is the debugging process there? I simply don't think most web
developers are going to find a useful path from "scrambled log bases" to
"hotlinked js," if they even _identify_ "scrambled log bases."

Then again, maybe the point is to muddy your own waters? I'm reminded of an
aphorism dealing with activities that should not be undertaken near one's
place of slumber.

~~~
glhaynes
I don't think it's a serious suggestion that evil.js be included, just a funny
thought.

~~~
rhizome
Ah, dopey me!

------
zbanks
Crockford used to prevent hotlinking to his JSON library (its now on github)
in an interesting way: right at the top there was an alert() line that you had
to remove before using.

This would probably be the best way to transition. If they add an alert to
their library and leave it up a week, most people should notice and fix it.

~~~
axod

      <script>
      var oldAlertFunction = window.alert;
      window.alert = function(){};
      </script>
    
      <script src="crockford.com/json.library.js"></script>
    

Arms race, but just sayin'

~~~
alex_c
The point would be to give webmasters a heads-up and time to fix their sites
before hotlinking is disabled, not so much to prevent them from using the
file.

~~~
axod
Indeed. I was just being silly :)

------
cletus
Frankly I'm surprised jquery even allowed this to begin with. Now there will
be sites that rely on this tha break, some of which won't be fixed for ages
(if ever).

I guess I shouldn't be but I'm still surprised people would even do this given
that Google s offering the service for free. Hotlinking has always been
antisocial.

~~~
sudont
Never doubt the laziness of people, especially other developers.

I'm actually more surprised that the site didn't either use Google's API to
host the download, or provide a hotlink button right there.

~~~
angrycoder
Some might be from laziness, but I would imagine most of the hotlinking is
from ignorance.

~~~
bigiain
Agreed. I'll bet a significant portion of it is coming from cut-n-pasted html
where the users don't even realise they're using hotlinked javascript, and
have probably never even heard of jquery (and, unfortunately, are
spectacularly unlikely to hear about this change on jquery's hotlinking
policy).

------
dedward
Always seemed to be to be a bad practice from a security point of view - you
are putting the security of your site in the hands of whoever is hosting the
.js

This also applies when .js is dynamically included as a type of API call to
embed widgets and whatnot - but in those cases there's a necessary reason -
it's the only practical way - but for a simple .js, you should be managing
your own .js library and publishing on your own (including all the speedup
tricks you know you should be doing)

~~~
wzdd
> Always seemed to be to be a bad practice from a security point of view

This is why I can't understand people's recommendation to use Google's or
Microsoft's CDN. Even if you assume they're not going to be malicious, you
have to trust that they're secure. Not to mention that the CDN owner can
derive accurate traffic stats from the number of requests for the JavaScript.

~~~
jdminhbg
Why would I be less sure that they're secure than my own personal hosting?

~~~
dfranke
No reason you would be. But you can be sure that your personal hosting is more
secure than (your personal hosting ∪ Google). In the latter case if either
breaks you're screwed.

------
jasoncartwright
Perhaps a little harsh. Is the problem bandwidth or connection quantity? If
it's bandwidth then they should just 301 to the Google CDN.

~~~
jeresig
Straight connection overloading. We're already redirecting the majority of the
files - but somehow the hotlking continue to persist.

~~~
ronnier
How are you preventing hotlinking while still allowing the files to function
normally on jquery.com? Inspecting the referrer or checking to see if other
resources were previously downloaded?

~~~
kmfrk
You can do it in your .htaccess file. Define some extensions that are
blacklisted and redirect referrers outside your own domain to a place of your
choice.

CPanel allows you to do this directly (although you might want to back up your
.htaccess file first).

------
mark_h
Now is probably a good time for a reminder: <http://scriptsrc.net/>

(Up to date CDN links for a bunch of javascript libraries, including jquery)

------
quinndupont
Damn shame. I used to hotlink during testing when I was too lazy to download
the actual JS and host it. It was a nice way to build wicked fast little
sites.

~~~
ceejayoz
Just hotlink to Google's version.

------
rbanffy
Ways to solve the problem once and for all:

\- Listing the sites that hotlink it would be a nice idea.

\- Changing the script on the hotlinked files to pop-up a warning that the
site is doing something improper and urging people to contact the owner.

\- When that doesn't work, break the sites.

------
Fluxx
When the change is made, changing the results of the HTTP GET to some
javascipt comments explaining what happened and pointing them to some CDNs
which offer the same service would be a good idea.

------
iwwr
The jquery people are being incredibly generous. Others would have just
tweaked the JS to produce some shock site or text to the effect "you are a
bandwidth thief".

------
mike-cardwell
It should be trivial for them to scan their access logs for referrers, and
then send a mailshot out to each domains webmaster address.

To me, that seems like the polite thing to do.

~~~
mootothemax
_It should be trivial for them to ... send a mailshot out to each ...
webmaster address_

Well indeed, but even if you ignore the time taken to do WHOIS lookups and
presume that they'll go to the right person (e.g. blogs hosted on
Wordpress.com) you're still ignoring the serious amount of computing power
that it takes to send a significant number of emails.

~~~
rhizome
Shouldn't need to do whois lookups, webmaster@ is required by RFC.

<http://www.faqs.org/rfcs/rfc2068.html>

~~~
pyre
Well, then. They can just report any domains that bounce webmaster@domain to
the local authorities, and a round of arrests and/or fines will definitely be
in order.

~~~
chronomex
rfc-ignorant.org is all over that already.

------
rorrr
Just for the record, here are the CDN versions:

<http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js> (always the
latest version)

<http://code.jquery.com/jquery-1.4.4.min.js>

<http://ajax.microsoft.com/ajax/jQuery/jquery-1.4.4.min.js>

~~~
Encosia
Avoid using the "latest version" reference. In order to ensure that it's
serving the latest version, it serves the script with an extremely short
expires header.

~~~
scotth
Not to mention that referencing the latest version means that your code will
be untested against anything but the library version you built against.

