Loading ...
Sorry, an error occurred while loading the content.

IMPORTANT: Remove this line from json2.js before deployment.

Expand Messages
  • Douglas Crockford
    The server at JSON.org is getting hammered. It turns out that there are some sites that are linking directly to json2.js instead of dispensing it from their
    Message 1 of 9 , Dec 9, 2009
    View Source
    • 0 Attachment
      The server at JSON.org is getting hammered. It turns out that there are some sites that are linking directly to json2.js instead of dispensing it from their own servers. By far the heaviest impact is from onlinebootycall.com. My intention was to provide the world with a free implementation, but the world can buy its own bandwidth.

      So I have added this line as the first line in the json2.js file:

      alert('IMPORTANT: Remove this line from json2.js before deployment.');

      It will not break anything, but it should help get a message to the onlinebootycalls that you should not load code from strange third party servers. It is not safe.
    • brianmario
      Any interest in moving your code to an account on Github? Might also help with people s desire for versioned-versions of your various code currently hosted
      Message 2 of 9 , Dec 9, 2009
      View Source
      • 0 Attachment
        Any interest in moving your code to an account on Github? Might also help with people's desire for versioned-versions of your various code currently hosted directly on json.org. You could simply link to the project itself, or even the raw file.
        You could even go so far as to use embedded Gists (with syntax highlighting and all) for your code samples.
        Anyway, just a thought.

        -Brian Lopez (author of yajl-ruby)

        --- In json@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:
        >
        > The server at JSON.org is getting hammered. It turns out that there are some sites that are linking directly to json2.js instead of dispensing it from their own servers. By far the heaviest impact is from onlinebootycall.com. My intention was to provide the world with a free implementation, but the world can buy its own bandwidth.
        >
        > So I have added this line as the first line in the json2.js file:
        >
        > alert('IMPORTANT: Remove this line from json2.js before deployment.');
        >
        > It will not break anything, but it should help get a message to the onlinebootycalls that you should not load code from strange third party servers. It is not safe.
        >
      • Douglas Crockford
        There is more information at http://www.stevesouders.com/blog/2009/12/10/crockford-alert/ and
        Message 3 of 9 , Dec 12, 2009
        View Source
        • 0 Attachment
        • Andrea Giammarchi
          Douglas, I think this move was brilliant, but as I have twitted, I wonder how many devs wrote a: window.alert = function(){}; before including external
          Message 4 of 9 , Dec 13, 2009
          View Source
          • 0 Attachment
            Douglas, I think this move was brilliant, but as I have twitted, I wonder
            how many devs wrote a:

            window.alert = function(){};

            before including external resources, rather than get the real/original
            message (also because alert is something only RyanAir and few others could
            still use "in 2010")

            In any case, specially for a problematic subject as JSON evaluation is, I
            guess you should be proud about the fact that many people simply trust your
            implementation.
            Moreover, as somebody already said, I think it's more about having an
            automatically updated version, rather than grab your server bandwidth.

            I think your JSON implementation should be hosted with a "Donate" button in
            some place able to use pre-gzipped/deflated/plain version via ETag, 304, and
            every possible technique able to make it safer and usable everywhere, with
            clear benefits provided by common browsers cache.

            Best Regards

            On Sun, Dec 13, 2009 at 1:00 AM, Douglas Crockford <douglas@...>wrote:

            >
            >
            > There is more information at
            > http://www.stevesouders.com/blog/2009/12/10/crockford-alert/ and
            > http://ajaxian.com/archives/doug-crockford-and-the-online-booty-call-saga
            >
            >
            >


            [Non-text portions of this message have been removed]
          • Douglas Crockford
            ... The point I was making was that if you care about reliability, security, and performance, then you shouldn t load scripts directly from third party
            Message 5 of 9 , Dec 13, 2009
            View Source
            • 0 Attachment
              --- In json@yahoogroups.com, Andrea Giammarchi <andrea.giammarchi@...> wrote:
              >
              > Douglas, I think this move was brilliant, but as I have twitted, I
              > wonder how many devs wrote a:
              >
              > window.alert = function(){};
              >
              > before including external resources, rather than get the real/original
              > message

              The point I was making was that if you care about reliability, security, and performance, then you shouldn't load scripts directly from third party servers. Are you suggesting that it is ok if you stub out alert first?
            • Philip Tellis
              2009/12/14 Douglas Crockford ... I think he s suggesting that the people who need to get the point may not actually get it - they ll
              Message 6 of 9 , Dec 13, 2009
              View Source
              • 0 Attachment
                2009/12/14 Douglas Crockford <douglas@...>
                >
                > --- In json@yahoogroups.com, Andrea Giammarchi <andrea.giammarchi@...> wrote:
                > >
                > > Douglas, I think this move was brilliant, but as I have twitted, I
                > > wonder how many devs wrote a:
                > >
                > > window.alert = function(){};
                > >
                > > before including external resources, rather than get the real/original
                > > message
                >
                > The point I was making was that if you care about reliability, security, and performance, then you shouldn't load scripts directly from third party servers. Are you suggesting that it is ok if you stub out alert first?

                I think he's suggesting that the people who need to get the point may
                not actually get it - they'll just work around it with no idea why you
                put it in there.
              • Andrea Giammarchi
                If you go in YUI 3 Configurator the Result page provides a script to copy and paste to include remotely the library.
                Message 7 of 9 , Dec 13, 2009
                View Source
                • 0 Attachment
                  If you go in YUI 3 Configurator the Result page provides a script to copy
                  and paste to include remotely the library.
                  http://developer.yahoo.com/yui/3/configurator/

                  If you go in Google Ajax libraries you will find external URIs to use third
                  part hosts as trusted safe and secure host with updated libraries.
                  http://code.google.com/apis/ajaxlibs/documentation/#AjaxLibraries

                  If you are using dojo library you probably know about AOL:
                  http://dev.aol.com/dojo

                  What am I saying is that we are not everybody under https and we trust, for
                  whatever reason, some external domain.
                  Not everybody could have followed the "alert story", I can already imagine
                  developers called 6am in the morning about an alert in the website that does
                  not use alerts at all.
                  These devs could have quickly solved the problem nullifying the alert
                  without caring about why the alert was there and, in the worst case
                  scenario, blaming you to have forgot an alert inside your library and
                  feeling cool to have solved an unexpected alert problem forever (so try with
                  prompt or confirm ...)

                  Since the message as is could sound more like you were testing something and
                  you forgot an alert, I would rather change the alert message with a link
                  that points WHY there is an alert.

                  I totally agree with you and it could often be about developers laziness (in
                  YUI case they did not use the php loader, etc etc) but at the same time:

                  1 - every website could benefit about common external resources thanks to
                  distributed cache for common libaries
                  2 - this message is not perfectly clear since somebody, YUI! itself, is
                  suggesting external resources while you, a Yahoo! engineer, are saying that
                  this is so bad that anybody should avoid this technique

                  Do you see what I mean?

                  Regards


                  On Sun, Dec 13, 2009 at 6:38 PM, Douglas Crockford <douglas@...>wrote:

                  >
                  >
                  > --- In json@yahoogroups.com <json%40yahoogroups.com>, Andrea Giammarchi
                  > <andrea.giammarchi@...> wrote:
                  > >
                  > > Douglas, I think this move was brilliant, but as I have twitted, I
                  > > wonder how many devs wrote a:
                  > >
                  > > window.alert = function(){};
                  > >
                  > > before including external resources, rather than get the real/original
                  > > message
                  >
                  > The point I was making was that if you care about reliability, security,
                  > and performance, then you shouldn't load scripts directly from third party
                  > servers. Are you suggesting that it is ok if you stub out alert first?
                  >
                  >
                  >


                  [Non-text portions of this message have been removed]
                • Andrea Giammarchi
                  Just to underline another thing: ... reliability ... they are including the de facto official JSON library for JavaScript security ... they trust your
                  Message 8 of 9 , Dec 13, 2009
                  View Source
                  • 0 Attachment
                    Just to underline another thing:

                    On Sun, Dec 13, 2009 at 6:38 PM, Douglas Crockford <douglas@...>wrote:

                    >
                    > The point I was making was that if you care about reliability, security,
                    > and performance
                    >
                    >
                    reliability ... they are including the de facto official JSON library for
                    JavaScript
                    security ... they trust your implementation and they trust the fact you keep
                    updating it
                    performances ... they are using a potentially "common used external
                    resource" so if the browser cached already that version performances will be
                    better for every website that includes it plus they are saving bandwidth.

                    As you can see somebody could think that your points ARE the reason they
                    included JSON via the direct source, rather than their local copy
                    potentially non updated and served even if almost every browser has stored
                    somewhere exactly the same library.

                    So, finally, I would think about a proper specific server or an official
                    repository Github style so that people than use the raw minified and gzipped
                    version with the 304 response, but if you think nobody should ever include
                    external scripts, you should tell us why we all have YUI configurator
                    scripts, google adsense/analytic files, etc etc.

                    Regards


                    [Non-text portions of this message have been removed]
                  • Leen Besselink
                    ... Hi Andrea, I think you are forgetting that the (current) json.org website is probably just a shared-hosting account. So that probably means it s not as
                    Message 9 of 9 , Dec 14, 2009
                    View Source
                    • 0 Attachment
                      On 12/13/2009 09:34 PM, Andrea Giammarchi wrote:
                      >
                      > Just to underline another thing:
                      >
                      > On Sun, Dec 13, 2009 at 6:38 PM, Douglas Crockford
                      > <douglas@... <mailto:douglas%40crockford.com>>wrote:
                      >
                      > >
                      > > The point I was making was that if you care about reliability, security,
                      > > and performance
                      > >
                      > >
                      > reliability ... they are including the de facto official JSON library for
                      > JavaScript
                      > security ... they trust your implementation and they trust the fact
                      > you keep
                      > updating it
                      > performances ... they are using a potentially "common used external
                      > resource" so if the browser cached already that version performances
                      > will be
                      > better for every website that includes it plus they are saving bandwidth.
                      >
                      > As you can see somebody could think that your points ARE the reason they
                      > included JSON via the direct source, rather than their local copy
                      > potentially non updated and served even if almost every browser has stored
                      > somewhere exactly the same library.
                      >

                      Hi Andrea,

                      I think you are forgetting that the (current) json.org website is
                      probably just a shared-hosting
                      account.

                      So that probably means it's not as reliable as something Google or Yahoo
                      might do for some of the js-libraries.

                      Performance-wise it would be really bad if everyone started hotlinking
                      to just that one (or maybe 2 or 3) server(s) as well.

                      Security-wise, something like the CDN-like setup Google and Yahoo are
                      doing have a lot of save-gaurds,
                      like monitoring tools and employees for file-changes. Seperate dedicated
                      datacenters or atleast 'cages' of
                      dedicated 19"-racks of servers. And not to forget procedures.

                      While I do think getting automatic updates of json[2].js would be really
                      interresting, because it's a very
                      security-sensitive library.

                      So in the current situation, it's a really bad idea.

                      >
                      > So, finally, I would think about a proper specific server or an official
                      > repository Github style so that people than use the raw minified and
                      > gzipped
                      > version with the 304 response, but if you think nobody should ever include
                      > external scripts, you should tell us why we all have YUI configurator
                      > scripts, google adsense/analytic files, etc etc.
                      >

                      Yes, I think some people would love to see Yahoo add json[2].js to their
                      list of js-libraries
                      they are already hosting on their own CDN (I think Google has a whole
                      list of libraries).

                      But maybe Mr. Crockford does not want his personal project to be tied to
                      his (current)
                      employer or Google. I don't know their, could be many reasons.

                      > Regards
                      >
                      > [Non-text portions of this message have been removed]
                      >
                    Your message has been successfully submitted and would be delivered to recipients shortly.