Forums

I understand that the YUI3 CDN doesn't support SSL. However, the FAQ hinted that this functionality may be coming sometime. How close is this to being done? Is it even on the radar right now? I can't speak for everybody, but it would save me a lot of headaches to be able to simply reference these files over CDN, and my project requires SSL.

That reasoning is fine (even though it looks like ericf disagrees). However that ideology also stops the uptake of YUI in certain scenarios.

eg: Corporate app, internal use. I would love to promote YUI3. I can't. I need https. My audience is internal. As an internal app I am trusted. I have no chance my IT team will roll out a server side combination service to rollup YUI modules. I've tried managing my own static rollups but that quickly becomes a major headache to manage especially trying to move forward to new yui releases (ie the rollups change and need reconfiguration and re-deployment).

Upshot of it is the overheads of using YUI3 in this context prevent me from doing so. I use jquery.

I just don't think it's worth throwing that opportunity out. Give me the choice please and educate users on the arguments for and against. Then leave it up to us.

The last thing Yahoo! should do is give users a bad choice. On the slim chance that the CDN origin were to be hacked and exploit code injected into the source somewhere that leaked sensitive user information from your secure application that could be used as a second stage attack (it would be fairly trivial to add a submit event handler that leaked usernames/passwords to a third party).

Unlikely? Probably.

Disasterous? Absolutely.

They're Yahoo!'s servers. The way legal liability works, it kind of requires them to be the 'usage police'.

It's never been tested, and different legal teams have different degrees of comfort with 'never been tested'. But given that there is not usage agreement or an explicit (or even implicit) waiver of liability for the use of the CDN that I've seen. On the other hand, Google *does* have an implicit terms of service for their CDN that includes a liability waiver (https://developers.google.com/terms/ ), so that might factor into the decision on the Google side.

It also may not factor into the decision at all. Ryan certainly always presented the argument from the purely philosophical "this is a bad idea, so we won't support it" position, and Jenny is pointing back to that argument, suggesting the feelings haven't shifted much since Ryan moved on to SmugMug.

And actually, Google did ship YUI3 via their CDN until a few versions ago, when it was removed at the request of the YUI team because the Google JavaScript CDN doesn't support combo loading.