[nycphp-talk] security & google ajax lib (was: Ajax UI...)

csnyder chsnyder at
Wed Dec 10 12:32:31 EST 2008

On Wed, Dec 10, 2008 at 11:25 AM, Daniel Convissor
<danielc at> wrote:
> Hi Greg:
> On Tue, Dec 09, 2008 at 05:46:24PM -0500, Greg Rundlett wrote:
>> Using multiple libraries got you down?
>> With the Google AJAX Libraries API, it
>> makes it easy to use libraries without actually installing and
>> maintaining the
>> library infrastructure locally
> Interesting.  I'm wondering what the security implications of this are.
> Also there's the issue of giving Google even more data about browsing
> habits.
> Finally, there are folks like myself that use Firefox's No Script add on
> that allows me to limit which domains can load JavaScript in my browser.
> I tend to not allow sites other than the one I'm looking at to run JS.
> --Dan

You pretty much nailed it, Dan. In exchange for convenience, you let
Google own your users' browsing habits.

I'm not so concerned about security -- I think it would be incredibly
embarrassing to Google if one of those hosted javascripts got
compromised -- but I do would worry about application breakage should
Google update to a newer version of a library, or delete an old, buggy

And agreed wrt NoScript. On the other hand, it should be safe to allow
those scripts... see potential embarrassment to Google if any of those
hosted libs contains trojan code. One hopes they have part of the
brain trust actually looking at the scripts before committing them to
the global Googlescape.

Chris Snyder

More information about the talk mailing list