
Sky parental control system blocks code.jquery.com - digitalclubb
http://www.thinkbroadband.com/news/6261-sky-parental-controls-break-jquery-website.html
======
belorn
ISP interference makes for a interesting question regarding liability. Their
interference are now potentially causing massive amount of economic damages to
companies which relies on jquery library. Webshops, economic infrastructure,
hospitals, transportation systems are just a few that relies on having fully
functional websites up and running.

But for liability, a few questions pops up. Who is the offended party, and how
much negligence is required for software bugs. Does it need to be a civil suit
with each customer, or can the website owners sue? If a truck crash right
outside a store and disrupt business, the store owner can sue even if they
have no formal relation with the truck company.

~~~
Cthulhu_
Alternatively, does code.jquery.com offer any kind of uptime guarantee? Big
companies would rather rely on their own hosting / CDN than that of jquery,
I'm sure.

~~~
davidgerard
code.jquery.com has in fact gone down in the past, and this did in fact bite
my workplace in the backside.

We went to locally-hosted copies of jquery stuff. We kept using Google for JS
they hosted, since their uptime way beats ours.

~~~
repsilat
> since their uptime way beats ours

You link to Google's JS so your users can still get it when your own site is
down?

If you hosted it yourself your users would see a working site whenever you
were up. Now they will see a working site whenever both you _and_ Google are
up. This has not improved effective uptime for anyone. (On the other hand,
Google might serve the JS faster, especially if your users cache it. They may
also keep their copies more up to date.)

~~~
andrewflnr
GP's point is that it also hasn't noticeably decreased uptime. So especially
if there's a speed benefit, why switch?

------
csmithuk
Sky user here[1].

Turn it off then!

This is entirely optional. It asks you when you first install and connect the
router via the WiFi landing page if you want to use any blocking. If you don't
answer the question or select no, there is no blocking at all apart form the
IWF firewall stuff. Every kind of blocking comes with problems of some
description. You either live with it or trust your users.

[1] £7.50/month for ADSL2 for 12 months with line rental and calls included
was too good a deal to throw away. I'd go for Andrews & Arnold if I could
afford idealism at the moment.

~~~
voltagex_
Interested Australian user here. That's about half of the cost of our cheaper
monthly ADSL2 plans - what's the catch? How far away from the exchange are
you?

~~~
csmithuk
Well I was an O2 customer. Sky bought O2 last year and in the effort to
maintain their customer-base they will give you silly offers if you argue with
them for long enough. It's usually £20.50/month including line rental but I
argued it down to £7.50/month on the basis I stayed with them for 12 months.

No catch. Confirmed no traffic management, no download limit, free router,
free migration. This is purely for customer retention.

I'm 800m away from the exchange and get 12.2Mbits down and 1.1Mbits up.

I pull an average of 120Gb/month over the line with no problems.

Edit: just to add I was paying £35.50/month with O2 before which is crazy
amounts.

~~~
Cor
I wish I was having as good a time as you are.

I was on o2 for 3-4 years before being transferred over to Sky last month.
Since transferring, I've had nothing but problems. Online gaming pings have
gone from 20 -> 50, download speeds have fallen 20-30%, my connection
frequently hangs (Youtube is near unusable), and I now have issues loading
websites from time to time (I had to refresh Google 3 times before it loaded
earlier). To make things worse, Sky is charging me £15.50 a month while o2 was
only charging £7.50.

Thankfully, BT is installing fibre in my area so I should be able to jump over
to plus.net sometime soon. I can't wait.

~~~
csmithuk
If it's unusable, tell them and say you will stop paying for it as it doesn't
live up to their advertising. Your rights are protected outside the contract.
Threaten to complain to Ofcom if they resist. They'll let you leave and give
you the MAC code.

I'm in London and my exchange has Sky LLU support. Coincidentally I live in
the same postcode as Sky HQ so any problems, I'll talk face to face with them
as I have some contacts.

~~~
Cor
I did ring technical support to get the issues fixed last Thursday --
apparently a higher level technician will call me back within '10 working
days'. Hmm.

I'm not trapped by a 12 month contract, which is why I'm not too annoyed about
the situation. My cabinet will get fibre fitted early next month, so I should
only have to endure Sky for another month or two thankfully, which is ok by
me.

~~~
csmithuk
Cool good news then :)

------
rmrfrmrf

        <script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
        <script>window.jQuery || document.write('<script src="path/to/your/jquery"><\/script>')</script>
    

Source: [http://stackoverflow.com/questions/1014203/best-way-to-
use-g...](http://stackoverflow.com/questions/1014203/best-way-to-use-googles-
hosted-jquery-but-fall-back-to-my-hosted-library-on-go)

~~~
youngtaff
I'd question whether this is a worthwhile fallback as depending on what the
error is then the browser may still wait 30 (ish) seconds for the original
request to time out.

~~~
rmrfrmrf
I look forward to seeing what you come up with.

------
Robin_Message
That is really not very reassuring in terms of the level of technical
understanding/oversight in managing their block list.

Mind you, I'm not surprised that someone updating the list is on a Sunday
night is not qualified.

~~~
DanBC
I'd be interested to see if the initial blocking was part of an automatic
system - block everything in this malicious page - and was fixed when the
competent people got in to work to see all the complaints and reports?

That can't be true because it would make reputation attacks really easy.

------
markdown
Sucks for the people affected by this, but if the result is that more people
use google for this, I'd be a happy bunny.

Why would anyone use code.jquery.com, really? They obviously don't mind a
third party hosting their js, so why not use the most popular service (google)
to increase the chances that users arrive at their website with jquery already
cached?

~~~
nly
> Why would anyone use code.jquery.com, really?

Because webmasters would rather compromise the security and integrity of their
site, and the privacy of their users, than pay for the initial burst of
bandwidth and latency for first time visitors. jQuery 2.1.0 production,
minified and gzipped is still over 30KiB, compared to this thinkbroadband page
which is only 6 KiB (and yes this page uses about half a dozen external js
resources, including jQuery)

Perhaps it's about time we had a way to specify the hash of <script> source
inline so browsers can serve files from cache even if they are from different
origins

~~~
al2o3cr
Sure, that sounds brilliant: allow anybody who can compute a hash collision to
poison _other sites '_ JS libraries. _facepalm_

~~~
1stop
A slightly more sensible approach may be to allow script tags (or any external
linking mechanism) to list multiple (trusted) sources, and fallback
appropriately.

That certainly feels more inline with how the internet in general was
designed.

    
    
        <script src="googleapi/jquery,code.jquery.com/jquery,/my/own/version/jquery">

~~~
ufo
The point they were making is that googleapi and code.jquery.com don't count
as trusted (at least not until you verify the hash)

~~~
nly
The domains are obviously trusted to a degree. The objective of the hash is
just to allow a content addressed[0] clientside web cache, and avoid talking
to them most of the time. Good for privacy, security and load times.

[0] [http://en.wikipedia.org/wiki/Content-
addressable_storage](http://en.wikipedia.org/wiki/Content-addressable_storage)

------
jdorfman
FWIW my company (MaxCDN) provides the CDN service for code.jquery.com. We are
currently investigating this issue with Sky.

Edit: Just saw this: "It appears that the jquery CDN is unblocked once more on
Sky connections where the phishing filter that is part of the parental
controls system was enabled."

We will continue to work with Sky to prevent this from happening in the
future.

------
maxcan
to be fair, teaching direct dom manipulation is far more harmful to children
than any amount of porn or violence.

------
taspeotis
Reminds me of some article I read about having some fallback mechanism for
when whatever CDN is serving up your JS fails. "Who controls downtime? You
do."

~~~
davidgerard
Make sure your CDN has better uptime than you do. e.g. Google.

