
How Google’s CDN prevents your site from loading in China - anubiann00b
http://edjiang.com/post/97299595332/how-googles-cdn-prevents-your-site-from-loading-in
======
realusername
It's partially related but something I would really like to have is a cross-
website cache for public scripts. Around 80% of the size of the scripts is
public libraries used by almost everyone (jquery, bootstrap, moment.js,
various jquery plugins, angular...) and each of them is downloaded thousands
of times.

One simple solution could be something like this:

<script type="text/javascript" src="/js/jquery.min.js"
public="sha1:356a192b7913b04c54574d18c28d46e6395428ab">

This way the browser can have a look at the hash and not query the file at
all. This could not lead to security issues since the hash saved by the
browser is not the hash displayed but the one computed with the actual file.
(and obviously you are only using the public attribute for scripts which are
meant to be public).

With this technique, the most popular libraries could be cached and not
downloaded by users.

~~~
ris
Great - use the hash of an obscure site specific script, then detect how
quickly the script loads and you know whether your victim has visited the site
because they have it in their cache. Looks like a surefire route to a cache
information leak to me.

~~~
cbr
You can already do that.

    
    
         good.com:
            <script src="/js/site.js">
    
         evil.com:
            <img src="https://www.good.com/js/site.js">
    

Then use the navigation timing api to figure out whether the js was already in
cache.

~~~
cbr
(Actually, you could use the onload event; you don't actually need navigation
timings.)

------
scrollaway
Linkbait title aside, this is a pretty good argument in favour of graceful
degradation for scriptless pages. If the JS libraries/cdn/what not you deal
with are on a CDN which is down for whatever reason (be it blocked,
temporarily offline or "I forgot to pay them"), it's important for your site
not to block on the requests and to display the text content your users want
in a readable format.

We're not talking "web 3.0 apps" here, we're talking documents - news
articles, "Contact Us" pages on a company site, etc.

It's also one of the scarier downsides of centralized CDNs. It's too easy for
a single site to get blocked or go down temporarily and suddenly, thousands of
websites become unaccessible. And this is not a situation we can keep brushing
off for long, there is a real need for decentralized solutions.

------
lnanek2
Every time I've talked to a business that wants a web site or server backed
software product for Chinese users, they've said the server has to be in
China. This is why. Even when you do manage to get a request out, it is often
laggy and worthless from a UX perspective. Linking out of the country for
resources needed to load the page is just ignorant.

------
tnuc
The problem is that most things hosted by Google resolve to ghs.google.com.

Given that China blocks sites that it doesn't like by simple dns then all
Google hosted content is blocked.

And of course Google blocks sites hosted from being seen in places like North
Korea, Iran, Cuba, Syria, etc. due to the way that Google enforces U.S.
sanctions. Google is not alone on this.

------
final
Or maybe just use the standard fonts and don't use a CDN. 99.99999% of the
sites on the internet gain very little from CDN. Yeah it's a cool technology,
it's nice to pretend you're important, but in the end CDN is an expensive (in
complexity and risks) toy.

------
cornewut
It's not like Google is blocking something. Google is blocked by China.

------
kbar13
google fonts alternative =
[https://github.com/alfredxing/brick](https://github.com/alfredxing/brick)

~~~
thoughtpalette
Thanks for that! I have not seen this one come up.

------
azinman2
Why does the "fix" have to be the cdn versus China itself? Why is that being
ignored as the real issue?

~~~
untog
Pragmatism? If you want your web site to be viewable in China you can

a) change a URL

b) campaign for open internet access in China

which one is likely to be more effective?

------
cj
> I’m not sure of a good alternative to Google Fonts though.

Is Adobe's Typekit blocked?

------
crishoj
Simple solution: Host JS libs on a HTTPS domain that China cannot afford to
block, e.g. GitHub. See [https://greatfire.org](https://greatfire.org) for a
practical take on this approach.

~~~
jdbernard
I don't understand. If China can afford to block Google, why wouldn't the be
able to afford blocking GitHub?

~~~
final
Because in OP's world GitHub is very important, and he believes Chinese
bureaucrats are like him.

I currently do consulting work for a Fortune 20 corporation and their firewall
blocks cloning of Github repositories. They have over a thousand developers on
site ... I'm thinking of writing a scraper, that clones from the Web pages,
which do open.

