The golfing world had the Tiger Woods saga. Now our hero Doug Crockford, finder of the Good Parts, has gotten involved in some Online Booty Call drama.

If you went to the online booty call site (as Steve Souders obviously does) you would have seen this yesterday:

Doug added an alert() to line 1 of his json.js files (DON'T HOT LINK TO THAT :)

I was talking to Doug about his keynote at Add-on-Con tomorrow, and asked him what the motivation was for this alert message. It turns out his webhosting service had contacted him about the unusually high amount of traffic on json.org. Doug investigated and discovered that OnlineBootyCall was linking directly to http://json.org/json.js, in spite of this statement in the file:

USE YOUR OWN COPY. IT IS EXTREMELY UNWISE TO LOAD CODE FROM SERVERS YOU DO NOT CONTROL.

Linking directly to http://json.org/json.js is bad. Certainly, it puts a load on Doug’s webhosting company that shouldn’t be there. But more importantly, it exposes the content site to security and performance vulnerabilities. Loading third party scripts into the parent window gives that third party access to cookies and other potentially confidential information in the page. Accessing that script from a third party domain requires an additional DNS lookup (which can be costly). Also, if the script is at the top of the page (which it is in this case) and the third party site is slow or not responding, the entire page is left blank for thirty seconds or more.

It’s best to reduce the number of third party scripts on your site. That was the reason Doug added the alert message to the top of json.js.

Of course, we hot link all the time. To Google Analytics. To the Yahoo/AOL/Google CDNs. Etc. The Web needs better mechanisms for packaging and running code. Doug likes to fight for just that. On one hand you can kinda snigger at the Online Booty Call situation, but I do admit to feeling a bit bad about the innocent folk that were harmed. I keep thinking of Bob Harris. The little JS guy that hotlinked. He is on vacation right now. He has no idea that his small site is alert'ing all of its users and they are all pissed. I feel sorry for him when he gets home to figure that out.


Related News :