Think before you embed hosted YUI
Posted on February 27, 2007, under Technology.
Recently, Yahoo announced they would allow free hosting of their Yahoo! User Interface (YUI) JavaScript and CSS libraries to any site which used them. Yahoo promises gzip compression, smart caching, and the stability of the Yahoo network if you embed their javascript and css files. After seeing the announcement, I read several posts which declared this the best thing ever for JavaScript libraries, and that this meant Yahoo had “won” the library wars.
If you use YUI, or were thinking about it, this may all sound great! Just reference their hosted files in your site and you’re good to go! However, be careful. You are opening up your site to issues you may not have considered. For example:
Security
If you embed something hosted third party into your web site, you are giving that web site first-class access to your web site and all visitors to your web site. Yahoo can now access your scripts on your web pages. Yahoo can now access any cookies you set on visitors’ browsers.
Sometimes you actually do want to allow access like this to certain third parties. For instance, to track web statistics for your web site, you can embed WebTrends’ own script from their servers, and they in turn can then create a ‘first-class’ cookie to act as though it is coming from your domain. WebTrends does this so more users will allow the cookie since it appears to be only being used from your domain. This type of access is actually a feature in this case, and could be a selling point for you as you look for web analytics services.
However, in the case of something like a hosted, UI-based JavaScript library, you need to really think about whether the domain hosting the file needs that kind of access to your web site and your visitors.
Reliability
If Yahoo changes their API and it conflicts with your scripts, or introduces a bug into their hosted files, your web site is horked. If Yahoo changes their files, and those changes cause problems with your web site, those problems will be immediately live on your site. There is no ‘dev’ environment in this scenario to test changes. You have no control.
Privacy
This is related to the bullet on security, but Yahoo can now track all of your visitors for their purposes. They can track any information available through regular web traffic logs, since the files are being pulled from their web site. They potentially also have the ability to read and set cookies.
Yahoo has a paragraph at the bottom of the blog post making the announcement that says:
“Usage of this service will be recorded in Yahoo!’s Web traffic logs. We can assure you that our intent is simply to provide a convenience to the YUI developer community. If the record left in Yahoo!’s logs would compromise the privacy of your users, do not use this service.”
This sounds fairly low-key. However, on the embed page, there is this paragraph under the Terms of Use headline:
“Yahoo!’s hosting of YUI files is covered by all applicable sections of the Terms of Use governing Yahoo! APIs; your use of YUI files from Yahoo!’s servers constitutes an agreement to those terms. Access of YUI files from Yahoo!’s servers will be recorded in Yahoo!’s Web traffic logs. Please be sure that this usage is fully consistent with your own user privacy agreement before deploying YUI files from Yahoo! servers as part of your application.”
Make no mistake; Yahoo plans to garner usage information from your site’s visitors. They even say that you should make sure your site’s privacy statement agrees with theirs before serving their files. You may be alright with this, and it may not bother you or your site’s visitors. However, make sure you understand these privacy issues before embedding their library. Trust is an easy thing to lose, and hard to gain back.
Redundant
Why do you need Yahoo to host script libraries for you? If your server has downtime issues, it’s not going to matter if your visitors can download the YUI or not. If your site is down, it’s down. Considering some of the potential ‘costs’ of embedding from Yahoo’s servers, make sure you have good reason for doing it.
3 Replies to "Think before you embed hosted YUI"
Brian G. on January 15, 2008
I like my YUI experience so far. I’m linking directly to their stylesheets, and they download very fast. I don’t use their javascript.
As for security concerns, I willing to trust Yahoo and hope for the best.
I haven’t seen any problems with the way I’m using YUI. I think it’s a great tool, and I plan to keep using it when needed.
jess on January 15, 2008
Brian,
Do you reference Yahoo’s privacy policy in your site’s privacy policy?
Marian Steinbach on April 10, 2007
Hi Jess!
As for the reliability argument: Yahoo! has the version number of the YUI files in the path. So each new version gets a new URL. I guess they won’t simply change a file without making it a new version.
There is an argument pro Yahoo hosting which I don’t find here: The more sites use Yahoo’s hosting offer, the more likely is a client to already have the resource in cache.
If the client doesn’t have the YUI in cache yet, requests are made to a server apart from the main server, which should improve response times, since browsers like firefox make only up to 2 simultaneous connections per host.