Ask HN: How do you feel about using cdnjs.cloudflare.com?

[TekMol]

Any pros and cons of using public CDNs to deliver the libraries you use? With Subresource Integrity in place, it seems to not be a security risk anymore, right?

So the only downsides I can think of are the additional DNS lookup and the risk that it breaks if the CDN goes down.

How do you feel about it?

[aww_dang]

Cloudflare pops captchas with a 403 for resources in some cases. This can break your site for users. The main document may load, but resources won't. Of course users won't realize this or see the captchas.

[onion2k]

That's quite an extraordinary claim. Surely they don't do that for anything other than requests for the root document of a page, or if the request looks like it's been generated programmatically. That would be incredibly dumb to do that for normal requests for sub-resources on a page. It'd completely break the entire point of using a CDN.

Is there any documentation that states this is what happens, or is it only anecdotal?

[ev1]

This is unrelated to cdnjs, which shouldn't do that, it "should" just be dumb static hosting with security off.

But yes, it absolutely does this for sub resources on a CF hosted site. If you <img src> an image it's entirely likely that the image doesn't load if you pass one CF check and fail another.

Why would it? You want people to bypass L7 filters by simply adding a fake referrer or header?

[aww_dang]

If the referrer has a valid cf_captcha url parameter, then they shouldn't be popping captchas for resources.

[MattIPv4]

Hi from cdnjs,

This is not something that should be happening, and I've not ever seen any reports of it happening.

Do you have any info on exactly when you've seen this happen? This is something we'd definitely like to investigate and resolve if it's happening.

- Matt.

[aww_dang]

How about on Cloudflare's own help pages?

https://pbs.twimg.com/media/EFguS8oU8AEVslR?format=png

https://support.cloudflare.com/hc/en-us/articles/200170136-W...

I already reported this. The support person argued the point instead of addressing it.

I'm seeing this daily on a Cake affiliate portal. I wouldn't consider using any Cloudflare services for my sites. Instead of filling out captchas, I just skip content hosted by Cloudflare. Not worth my time.

[TekMol]

This seems to be a misunderstanding.

You seem to refer to sites served by Cloudfront.

My question was about their asset CDN located at cdnjs.cloudflare.com

A website might be a target of a DOS attack, so it could make sense to have some heuristics in place to prevent those.

An asset CDN is less likely to be attacked since it only hosts static content. And a captcha would not make sense as a signal for this because nobody would see it.

[aww_dang]

Right, nobody sees the captchas for the static CSS files either. I agree that doesn't make any sense. Besides being inconvenient and broken, "doesn't make sense" is synonymous with unpredictable. Hope this helps.

You're making a distinction between their services. That's fine, I understand and disagree. As a publisher/developer, I wouldn't be interested for the reasons listed.

Aside from that, for most new sites, I remove unused CSS, JS and inline everything into the document. Better pagespeed score this way.

[TekMol]

Wow, that would be a big one!

Where did you see this happen? Do you have a link that backs this up?

Why would they ever put a captcha in front of a file served from their cdnjs subdomain?

[myroon5]

Notable that cdnjs curates only popular libraries. May need an alternative like jsdelivr if not available on cdnjs

[iio7]

This has become a real cancer on the net, using CDNs for everything. Put the stuff you use on your website, that not only eliminates all the extra DNS querying, but it also prevents someone like Cloudflare to track users.

I'm running with uBlock Origin and I block ALL third party CDN stuff. If a website cannot figure out how to store content locally, I wont use it!