Local Replacement for ajax.googleapis.com (feature request)
Posted: Mon Apr 28, 2014 3:44 pm
Hi Developers,
I would like to propose an enhancement to NoScript to improve browser performance and enhance end use privacy and security.
On reading over the change-log for NoScript, I came across the following item:
x [Surrogates] Fixed Google Analytics surrogate breaking some javascript: links (thanks Will for reporting)
Google Analytics is a tracking feature used my many web sites to follow browser use across different websites. Google Analytics is widely used because it is easy to implement and because web developers ( and their customers ) consider Google to be a more reliable source of statistics than their own web server logs.
Now that NoScript is around, Google is rethinking how they can reliably track people without Google Analytics. They have a clever work around for the problem: force people to load jquery via SSL from Google servers. Since jquery is used by seemingly every single web site, and "best practice" is to load jquery from Google, there is a virtual certainty of tracking all modern browsers this way.
This man has figured out how to server a local copy of jquery from an Apache instance hosted on his local machine:
http://development.genusa.com/?p=211
While I admire what he is doing, I think that the number of people willing to go to the trouble is pretty minimal. Moreover, the proper place to put this is in the browser so you don't have to deal with SSL proxy issues.
Jquery is an abomination. I would much prefer to browse the web with JavaScript turned off, but for many ( if not most ) sites, that is not possible. The next best thing is to control the content of the js that reaches my machine. Please consider adding this enhancement to NoScript. it would:
*) Enhance browser security. The ajax.googleapis.com server must be the holy grail of hackers. It would also be a preferred vehicle for malicious governments or corporations to target individuals or entire countries. Likewise jquery.org and Google are trusted with a shockingly large percentage of the total infrastructure of the web. Recently, that trust has been placed in doubt. Jquery has also been subject to exploits in the past:http://www.cvedetails.com/vulnerability ... query.html
*) speed up web browsing. jquery 2.1 is 86kB. All of the HTML on my site is 32kB uncompressed. Enough said.
*) enhance privacy. Google and jquery.org ( a private organization sponsored by many of the largest companies in the world) are using jquery to track your browser. They are doing it right now.
While doing research to back up this request, I came across this site:
http://www.awwwards.com/websites/jquery/
giving awards to the best jquery sites. I sampled a few of them and found that a surprising number of them are hosting jquery themselves. This is a new trend resulting from the Snowden revelations. The web developers don't trust Google.
Thanks for your consideration.
I would like to propose an enhancement to NoScript to improve browser performance and enhance end use privacy and security.
On reading over the change-log for NoScript, I came across the following item:
x [Surrogates] Fixed Google Analytics surrogate breaking some javascript: links (thanks Will for reporting)
Google Analytics is a tracking feature used my many web sites to follow browser use across different websites. Google Analytics is widely used because it is easy to implement and because web developers ( and their customers ) consider Google to be a more reliable source of statistics than their own web server logs.
Now that NoScript is around, Google is rethinking how they can reliably track people without Google Analytics. They have a clever work around for the problem: force people to load jquery via SSL from Google servers. Since jquery is used by seemingly every single web site, and "best practice" is to load jquery from Google, there is a virtual certainty of tracking all modern browsers this way.
This man has figured out how to server a local copy of jquery from an Apache instance hosted on his local machine:
http://development.genusa.com/?p=211
While I admire what he is doing, I think that the number of people willing to go to the trouble is pretty minimal. Moreover, the proper place to put this is in the browser so you don't have to deal with SSL proxy issues.
Jquery is an abomination. I would much prefer to browse the web with JavaScript turned off, but for many ( if not most ) sites, that is not possible. The next best thing is to control the content of the js that reaches my machine. Please consider adding this enhancement to NoScript. it would:
*) Enhance browser security. The ajax.googleapis.com server must be the holy grail of hackers. It would also be a preferred vehicle for malicious governments or corporations to target individuals or entire countries. Likewise jquery.org and Google are trusted with a shockingly large percentage of the total infrastructure of the web. Recently, that trust has been placed in doubt. Jquery has also been subject to exploits in the past:http://www.cvedetails.com/vulnerability ... query.html
*) speed up web browsing. jquery 2.1 is 86kB. All of the HTML on my site is 32kB uncompressed. Enough said.
*) enhance privacy. Google and jquery.org ( a private organization sponsored by many of the largest companies in the world) are using jquery to track your browser. They are doing it right now.
While doing research to back up this request, I came across this site:
http://www.awwwards.com/websites/jquery/
giving awards to the best jquery sites. I sampled a few of them and found that a surprising number of them are hosting jquery themselves. This is a new trend resulting from the Snowden revelations. The web developers don't trust Google.
Thanks for your consideration.