Friday, December 11th, 2009

Doug Crockford and the Online Booty Call Saga

Category: JavaScript

<p>The golfing world had the Tiger Woods saga. Now our hero Doug Crockford, finder of the Good Parts, has gotten involved in some Online Booty Call drama.

If you went to the online booty call site (as Steve Souders obviously does) you would have seen this yesterday:

Doug added an alert() to line 1 of his json.js files (DON’T HOT LINK TO THAT :)

I was talking to Doug about his keynote at Add-on-Con tomorrow, and asked him what the motivation was for this alert message. It turns out his webhosting service had contacted him about the unusually high amount of traffic on json.org. Doug investigated and discovered that OnlineBootyCall was linking directly to http://json.org/json.js, in spite of this statement in the file:

USE YOUR OWN COPY. IT IS EXTREMELY UNWISE TO LOAD CODE FROM SERVERS YOU DO NOT CONTROL.

Linking directly to http://json.org/json.js is bad. Certainly, it puts a load on Doug’s webhosting company that shouldn’t be there. But more importantly, it exposes the content site to security and performance vulnerabilities. Loading third party scripts into the parent window gives that third party access to cookies and other potentially confidential information in the page. Accessing that script from a third party domain requires an additional DNS lookup (which can be costly). Also, if the script is at the top of the page (which it is in this case) and the third party site is slow or not responding, the entire page is left blank for thirty seconds or more.

It’s best to reduce the number of third party scripts on your site. That was the reason Doug added the alert message to the top of json.js.

Of course, we hot link all the time. To Google Analytics. To the Yahoo/AOL/Google CDNs. Etc. The Web needs better mechanisms for packaging and running code. Doug likes to fight for just that. On one hand you can kinda snigger at the Online Booty Call situation, but I do admit to feeling a bit bad about the innocent folk that were harmed. I keep thinking of Bob Harris. The little JS guy that hotlinked. He is on vacation right now. He has no idea that his small site is alert’ing all of its users and they are all pissed. I feel sorry for him when he gets home to figure that out.

Posted by Dion Almaer at 12:57 am
16 Comments

+++--
3.8 rating from 29 votes

16 Comments »

Comments feed TrackBack URI

wow, The Web needs better mechanisms for packaging and running code.

Comment by 925ly — December 11, 2009

In general these types of “security” measures makes sense to avoid people abusing your bandwidth. The question, in cases like json.org, should be if you couldn’t expect this (especially with all the frameworks that do all the gruntwork and simply request the JSON parser.

I would imagine an easy solution would be not to make the JS file as accessible as it currently is.

Comment by BtM909 — December 11, 2009

Maven for JS? =P

Comment by BenGerrissen — December 11, 2009

I feel a new trend coming, makes me want to go ahead and dump ascii pron into people’s sites to teach them a lesson.

Comment by Jadet — December 11, 2009

Maybe he can combine this with the advertising system he is working on. ;-)

Comment by edwinm — December 11, 2009

No one was harmed. Some users will have to do an extra click, and some lazy web developers will be embarrassed. Business as usual.

But I could have done worse. I could have forced the page to fail. I could have redirected to a competing site. I could have beaconed the cookies to pirate.com. Or I could have loaded a script that would let me completely pwn the site and all of its users.

It turns out that these things happen all the time, sometimes by accident. Loading third party scripts is an extremely dangerous practice because the browser provides no defense against the evil those scripts might do. By loading a third party script, you are granting the third party all of those powers. I hope that in the distant future we will be able to fix that. It seems important.

Comment by crock — December 11, 2009

Unless you use Caja ofc. =P right? hmm…

Still think we need to find a good balance between downloading third party scripts (YUI, Google, etc) and something like JavaScript Maven.
http://mojo.codehaus.org/javascript-maven-tools/index.html
.
Dunno if php, .net etc have similar tools.

Comment by BenGerrissen — December 11, 2009

Wrong. hmm… Caja cannot it make safe to load scripts from a third party site. Caja makes it safe to load third party scripts from your own servers. To make scripts from other servers safe, we must replace the DOM.

Comment by crock — December 11, 2009

Hahahahahaha

Comment by ozonecreations — December 11, 2009

He could have also just redirected all the refrerers from onlinebootycall.com to a specific json.js with a one-liner in a .htaccess

Hell, he could have just had a deny for everyone that doesn’t come from the same domain. Why this ‘n00b’ solution?

Comment by SchizoDuckie — December 11, 2009

@crock, hmm, then it was your advertisement script I was thinking about, which I am sure you’re not happy with (that it has to exist in the first place).
.
ps. Blame googleapis and peers, since they offer it, obviously its a standard and everyone can simply link to your scripts. It’s amazing how many developers dont (want to) think about js management and quickly accept one way of doing things as a standard. Especially when yer pampered by tools, tools and more tools (*cough* java) so you don’t have to think about where stuff comes from.

Comment by BenGerrissen — December 11, 2009

Let’s see, there’s a message that says “don’t link to this bad things could happen” and the developer links to it and bad things happen (granted not as bad as they could have been) and you feel sorry for the dev?!?

I think what Doug is doing is perfectly acceptable, even though it’s not going to do anything for his traffic issues until this guy gets back from vacation.

Comment by edthered — December 11, 2009

“No one was harmed.”…

Sometimes a bootycall is a 911.

Comment by Nosredna — December 12, 2009

“I keep thinking of Bob Harris. The little JS guy that hotlinked. He is on vacation right now. He has no idea that his small site is alert’ing all of its users and they are all pissed. I feel sorry for him when he gets home to figure that out.”

How wise or nice is it to name the programmer on Ajaxian? Well, Douglas just put an alert line without naming people. You guys name the person. If you want to name them, name them all, or dont name anyone. On Steve sourder’s site, you already have a comment from the onlinebootycall team admitting a major FAIL from someone. Even they dont name him.

Hmm – now where did i recently read about how blogs pit one person on the internet against another without either having anything against the other?
Whoever this Bob is, unless he’s an acquaintance/accomplice, is going to be really upset NOT because of Douglas, but because of him being named.
This behaviour is not hacker-like. Come on, you guys are bigger than this.

Ajaxian is not supposed to be juvenile like the dailywtf or slashdot.

Comment by davesrc — December 14, 2009

I think this also reaises some more questions for me to think about:
Is there a *compelling* reason to use CDNs?
Do the CDNs enable Google or Yahoo to track usage better?
How do they benefit in terms of better traffic stats?
Is it wise to trust anyone who calls himself a CDN host?
Who reviews the individual code files, especially when Xmas and New Year are approaching?

Comment by davesrc — December 14, 2009

Very clever
thanks a lot for sharing this
thanks
Steve

Comment by Tribulus — January 14, 2010

Leave a comment

You must be logged in to post a comment.