
You shouldn't hotlink someone else's JavaScript - jsnk
http://beta.whatispolymath.com/
======
jacquesm
And that's a pretty mild example of what could happen if you did. Hotlinking
javascript is an excellent way to allow someone else to pull all kinds of
tricks with your visitors and your image. For example, redirecting all your
traffic to a shocksite.

Every time you include some externally hosted javascript you open yourself and
your visitors to a security risk. And on top of that, if you do it like this
you're stealing bandwidth.

When including remotely hosted javascript make sure you have permission, make
sure the other party is trustworthy and periodically review the linked script
to make sure it does what is advertised (and that's imperfect, it could be
you're seeing something else than other visitors).

~~~
ballard
The standard pattern is never use external dependencies directly, but to keep
copies _and_ host them on your CDN.

That way, you can run them through the ol' asset pipeline too... minifiers and
possibly serve them straight from gzips.

Gotta always remind ppl of
[https://developers.google.com/speed/](https://developers.google.com/speed/)
... the OP scores 47 (out of 100)

~~~
grey-area
_The standard pattern is never use external dependencies directly, but to keep
copies and host them on your CDN._

For dependencies you can control, it's obviously best to keep a local or CDN
copy. However this trend of embedding js from all over the web is encouraged
by the pattern that most of the big sites allowing you to embed content use:

e.g.
[https://developers.google.com/+/web/badge/](https://developers.google.com/+/web/badge/)

Google, Twitter, FaceBook all want you to embed js hosted on their servers in
your page in order to interact with their site, even if all that script does
is then insert an iframe into the page. By including a button or widget like
the one above you're trusting them not to take over your site in a manner
similar to this example, track your users surreptitiously, or be compromised
now or in the future.

~~~
jacquesm
One thing that will happen is that domains that get abandoned that _used_ to
host benign js will get taken over by the jerks. That's very hard to protect
against, and with the rate at which start-ups encourage people to embed their
tags I'm kind of surprised there hasn't been a significant incident like that.

~~~
mtrimpe
Good point. I imagine you could make a pretty penny by hijacking credit card
detail entry forms.

To evade detection you can even have the hijacking code only included on pages
that actually collect credit card info.

~~~
sneak
Or only serve it to 10% of requests, making it a heisenbug for the site owner
attempting to track it down. :D

------
chewxy
Screenshot for potential future confused HNers when Polymath realizes it and
uses a real CDN:
[http://i.imgur.com/A8JzHtK.png](http://i.imgur.com/A8JzHtK.png)

~~~
bhauer
Thank you. At first, I didn't see anything of interest and briefly wondered
why I was at a site that had nothing to do with the HN subject.

It hit me that the submission was to a demonstration rather than an article,
so I temporarily instructed Noscript to allow all domains used by the page.
Sure enough, now the banner appeared.

But that speaks to another reason to not use too many scripts hosted by third-
parties. It makes for a very cluttered list of domains for users of Noscript
and similar to authorize. I just leave sites that have more than a small
number. How many third-party analytics, tracking, tools, social sharing,
voting, polling, comments, shopping, deals, and other tools do you really need
to embed to make a web site these days?

I love when the list is just domain.foo and domain-static.foo and maybe
google-analytics or another mainstream analytics domain.

~~~
Wingman4l7
Don't forget that sometimes you need to allow the site's CDN domain as well.

The problem with Noscript is that it doesn't seem to differentiate between
allowing a domain when it's actually a site you're visiting _(say,
facebook.com)_ and when it's a domain that a completely different site is
trying to load content from. A straight whitelist is too "dumb" for today's
web.

------
TheAnimus
>We noticed that you're using Internet Explorer. Polymath currently does not
support this browser because compatibility issues prevent us from delivering
an ideal experience. We're working on fixing these issues.

People do realise that some company networks give you no control over which
browser you can use right? I can't understand what feature they would need
which is missing from IE10. Why not use feature detection? We've moved on from
browser detection...

~~~
oneeyedpigeon
[http://caniuse.com/#compare=ie+10,firefox+24,chrome+29](http://caniuse.com/#compare=ie+10,firefox+24,chrome+29)

~~~
TheAnimus
Sure, I don't mind if bits don't work, if I miss out on some WebGL stuff or
similar.

But to just put up a big fuck you, to what is the second most popular or most
popular browser as a whole isn't helpful. It reminds me of people using Java
Applets for navigation in their frames webpage.... Actually I did that once, I
was however 11, and this thing had a spinny thing.

Sure, do cool stuff that requires features which some browsers miss, use
feature detection to flag that.

~~~
benjamincburns
> Sure, do cool stuff that requires features which some browsers miss, use
> feature detection to flag that.

To be fair, graceful degradation is still a _ton_ of work. It's fine if you're
using neat-o features for superficial things (round ALL the corners!). However
when you decide to rely on newer tech for more core site features, it means
you wind up having to code, and test, twice. Once for the real features in the
preferred environment, and once for the degraded features in the non-preferred
environment.

If you don't have the resources but you still want to use the stuff with
limited support, I think it's polite to include a "hey, we don't test for your
configuration so feel free to give us a try, but we apologize if things don't
work correctly" banner. I think it's also polite to warn your users where you
know things are just painfully broken. "The experience is bad here for users
with your configuration."

------
martin-adams
There are few techniques you could use that don't affect the visitor
experience of your own.

\- Detect referrer and return a script that has a warning

\- Rotate your script filenames so those hotlinking will soon realise they
will need to host it themselves

\- Use a CDN yourself and don't encourage them to hotlink

\- Slow down the request

For those hotlinking, consider:

\- You can't trust the source of the code

\- You can't trust that the code will always be there and it will load quickly

\- You can't trust the contents of the code may change and break your
application

If you want to be sinister to those hotlinking you could:

\- Redirect the user (as others have noted)

\- Display any message to the user

\- Steal data from the user who is using the site hotlinking

\- Inject your own adverts into the target web page

\- Make the web page do the Harlem Shake

------
jimktrains2
This isn't a finished blog post yet, so bare with me.

In [http://jimkeener.com/posts/http](http://jimkeener.com/posts/http) I have
two things which I think would be great additions to both HTTP and HTML.

The first are Content-Signature (signed with the TLS key perhaps)and Content-
Hash (format: "hash-algo base64-hash-value") headers.

The second is allowing a hash and/or signature attributes on elements that
have a src attribute. This would allow the UA to check if the file is already
cached (across domains perhaps too, though I'm not sure how serious collision
attacks would be) without having to check the server.

EDIT: I feel that these two features, in combo, would allow for a more secure
method of using CDNs for things such as javascript libraries. They would also
allow a better fallback method for loading local resources than what is used
now.

    
    
        <script src="//ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
        <script>
        if (!window.jQuery) {
            document.write('<script src="/path/to/your/jquery">   <\/script>');
        }
        </script>

~~~
benjamincburns
Well it just so happens that the IETF is working on the http 2.0 spec now. See
[https://github.com/http2/http2-spec](https://github.com/http2/http2-spec)

~~~
jimktrains2
Yes, that is what my response was in response to. In fact I believe I link to
it (not the github version but on the ietf site).

However, I felt that some of the points I brought up in what I'd like to see
were relevant to this discussion, even if the entire blog post isn't. This is
why I highlight the points that are relevant in my comment.

~~~
benjamincburns
Sorry, what I meant was that if you think these are important features, the
README.md in that git repo describes the process to get them added.

~~~
jimktrains2
I also feel that the entire spec for HTTP 2 is misguided, so I don't think
most of my recommendations would be welcomed.

~~~
benjamincburns
There's only one way to find out... ;-)

------
ivan_ah
The hotlinked js in question is:
[http://gsgd.co.uk/sandbox/jquery/easing/jquery.easing.1.3.js](http://gsgd.co.uk/sandbox/jquery/easing/jquery.easing.1.3.js)

That is a neat way to communicate ;)

Polymath sounds like a cool idea BTW, but probably difficult to monetize.
Somebody must pay the tutors for producing/curating the content, but people
have gotten so used to educational material being free...

~~~
marceldegraaf
Linking to the file from a popular HN thread will likely only worsen the
bandwidth issues for the owner :-). Perhaps link to the Github version
instead, which is here:
[https://github.com/gdsmith/jquery.easing](https://github.com/gdsmith/jquery.easing)

------
geuis
Ok there is a better way to handle this than adding some html to a page to
make a banner, posting to HN, and hoping for the best.

Check for referal headers and throw a 301.

~~~
jacquesm
Compared to what could have happened this is actually pretty mild.

~~~
marshray
Everyone these days is so polite.

OK, that was a bit of an exaggeration. But back in _my_ day the web had a
whole site high-bandwidth site specifically for educating careless webmasters
about the dangers of hotlinking: g o a t s e . c x.

It was used to great effect on things like auction sites where the original
page html was not allowed to be changed after listing.

~~~
readme
I'm not sure if politeness is the motivator. Imagine if you had done that, for
all hotlinks to your script. Then, it turns out a children's website is
hotlinking your script.

Some idiot at Company X decides that it's actually your fault, since its your
script that did it. To save face, they get an expensive lawyer to sue you.
Next thing you know, you're a registered sex offender.

~~~
sneak
> To save face, they get an expensive lawyer to sue you. Next thing you know,
> you're a registered sex offender.

Please learn the difference between civil and criminal law.

~~~
marshray
Back in the 90's it wouldn't be unthinkable for someone to be criminally
prosecuted for a goatse-ing a minor in Snookelatchee County, Kentucky.

------
BadassFractal
Lots of services out there like browser-update.org tell you to load snippets
of js over http from some random location they control. It's pretty unsafe
unless you really know who's running the show over there and how secure their
system is. Them being compromise could make every user site vulnerable.

~~~
mjpa
There is of course the maintenance issue... what happens when their script is
updated and breaks how you use it?

~~~
Cthulhu_
Usually, library scripts are versioned in their filename, so won't be updated
after release.

------
cl8ton
A car dealer was hot linking to pictures of our cars from a sports car forum I
belong to and using them to sell his same models on eBay.

We changed to pics of Male Enhancement devices and medication and shared with
other car forums, we all watched for days and the guy was pretty clueless on
what was going on and apparently didn’t check his ads as often as he should.

We even had a vote for what pic appears today poll.

Remember: The first rule of Changing hot linked photos club is to never talk
about changing hot linked photos.

~~~
eric_the_read
In the very early days of lolcats, I nearly got fired because an image macro I
referenced in an email got replaced, several months later, with.... let's just
say it was the sort of image that rivals goatse for disgusting.

Fortunately, my company's IT department had enough of a clue that when I
explained what had happened, they agreed it was possible; it was a tense week,
though, while they investigated.

I'm not saying the sort of reaction in parent isn't always appropriate, but
just be aware that people's lives can be ruined to save a few dollars. I think
the OP's solution is ideal: it alerts people to the problem in a very
professional way, and provides solutions for the most common cases.

~~~
cl8ton
100% agree with you, always weight damage it may cause.

In the case I mentioned, this was a well known bad actor in the auto circles
known for ripping first time buyers off with shady tactics and misrepresenting
facts.

------
daviddede
This has being going on for a few months with other sites:

[http://blog.sucuri.net/2013/05/who-really-owns-your-
website-...](http://blog.sucuri.net/2013/05/who-really-owns-your-website-
please-stop-hotlinking-my-easing-script-use-a-real-cdn-instead.html)

thanks,

------
marvwhere
a friend asked me some days ago: can u help me with a little problem? my old
coder has no time to fix it.

the classic: "it worked yesterday..."

so i checked the code and all js,css files where used from a git repo from
some other guy. who moved all files away in other directories.

was easy to fix, but i have no idea how stupid his coder is to use github urls
from other people repos!!

------
artumi-richard
whoops, not sure he wanted it here too.

[http://gsgd.co.uk/sandbox/jquery/easing/](http://gsgd.co.uk/sandbox/jquery/easing/)

~~~
herpyDerpy
Ha ha!

Actually, it's not a bug, pretty obvious he's "demonstrating a feature"... :)

------
thejosh
Find more here:
[https://www.google.com.au/search?q=%22http%3A%2F%2Fgsgd.co.u...](https://www.google.com.au/search?q=%22http%3A%2F%2Fgsgd.co.uk%2Fsandbox%2Fjquery%2Feasing%2Fjquery.easing.1.3.js%22&oq=%22http%3A%2F%2Fgsgd.co.uk%2Fsandbox%2Fjquery%2Feasing%2Fjquery.easing.1.3.js%22&aqs=chrome.0.69i57j5.856j0&sourceid=chrome&ie=UTF-8)

~~~
m_ram
Even more interesting is all the people who don't know why they're getting
this error message:
[https://encrypted.google.com/search?hl=en&q=%22Please%20stop...](https://encrypted.google.com/search?hl=en&q=%22Please%20stop%20hotlinking%20my%20easing%20script%22)

~~~
junto
Yep, I thought that too. The vast majority of website owners have had external
developers build their websites. Often those developers are long gone and the
website owners left to their own devices (or CMS's). The site owners are now
confused and think they have been hacked and don't know where to turn to.

There is actually a business proposition here. You could contact George Smith
and ask him for a list of all HTTP referrers. Then contact each site in turn
and ask them if they need any help.

Even if they have it sorted already, it might be a good intro into some of
these small enterprises.

------
rmdoss
That page was like that for a while, since the author of that plugin has done
that a few months ago:

[http://blog.sucuri.net/2013/05/who-really-owns-your-
website-...](http://blog.sucuri.net/2013/05/who-really-owns-your-website-
please-stop-hotlinking-my-easing-script-use-a-real-cdn-instead.html)

------
ronaldx
I take this to be a proof-of-concept for ajax.googleapis.com in N years time.

"The archive web, sponsored by..."

------
andyhmltn
Very very lucky. All they had to do was:

document.location = '...'

and route the page to a java drive-by which redirects back afterwards and most
of their visitors would've been infected. They are incredibly lucky that the
owner of that script was nice enough just to add a simple banner.

------
joshfraser
It's always blown me away how willing people are to install remote JavaScript
on their sites, including top sites that you would expect to be more cautious.
A lot of internet retailers include dozens of third party JavaScript files on
their pages for analytics, social widgets, retargeting, etc. The way they
handle the risk is by using constant monitoring by security auditing firms to
check for changes in any of the files (presumably from different locations,
browsers, user-agents, etc).

------
joeblau
That's interesting way to warn users of the err in their ways. I recommend the
CDN route for anyone who is standing up a web application for performance more
than anything. With a CDN the page load time on my site went from 1.5 second
to under .5 seconds. You also get the added benefit of someone not injection
code into your website.

------
driverdan
This site is full of bad practices.

* Never link to someone else's files (JS, images, etc).

* Don't use S3 as a CDN. It's not a CDN. Latency can be bad. Use CloudFront.

* Minify and combine CSS and JS.

* Put your JS at the end of the page.

------
zenith2037
I always thought this tip was common sense... Although my entry to the
programming world wasn't through the normal means.

------
jimaek
Also a good CDN alternative [http://www.jsdelivr.com](http://www.jsdelivr.com)

------
Yhippa
13 hours from the time this was posted and it's still being hotlinked.

------
samelawrence
How is this even a thing we're discussing?

This just seems so obvious.

------
kbar13
Good guy developer, goes above and beyond to help his users

+1!

------
benhalllondon
if (window.location.origin !==
"[http://beta.whatispolymath.com/")](http://beta.whatispolymath.com/"\)){
window.location =
"[http://beta.whatispolymath.com/";](http://beta.whatispolymath.com/";) }

------
segfault1212
atleast that site is listed as beta. Check out this real estate site that is
making millions of dollars selling condos and town homes.

[http://www.fairwaytownecenter.com/](http://www.fairwaytownecenter.com/)

------
oakaz
just remove that file and force people to use CDN, do you really need to prove
your abilities Mr. Einstein ?

