Hacker News new | past | comments | ask | show | jobs | submit login

If anything this would only work on other cloudflare users (like people who logged in to cloudflare). Most users won't have any cookies on that domain.



There's nothing to stop them setting cookies in the responses down the track though. Wait until you've got enough users, then one day just switch on your 3rd party multi-site user tracking. Or perhaps less publicly dicoverable, use browser fingerprinting and ip address correlation to do the same thing with somewhat less accuracy, but completely invisibly.

And note too, that if you're relying on a 3rd party to serve javascript your users are going to run in their browsers - if that 3rd party isn't trustworthy, you're screwed in much worse ways that cookie tracking privacy violations. Who'd notice if they started occasionally serving a modified version of jQuery which sent all form field keydowns (aka, your usernames and passwords) back to theselves?


Following the money will especially help in this situation.

How does CloudFlare make its money? It's a CDN company. I mean, that's the CORE of what they do. What is jsCDN? It's a CDN.

A simpler theory is that hosting a Javascript CDN (and demonstrating that it's even better than Google's, which is amazing), is going to provide a lot of free advertising for their product. If I use their CDN for JS and it works really well, I'm likely to go back to them for hosting other things, because using jsCDN is almost like doing a free trial of their actual CDN.

It's not even like their main form of income is in another industry that we have to make a cognitive leap to see what their ulterior motives are. It's precisely this. CDNs.


Dude, as a good cdn will set cache headers to make browsers store the items forever, without even re-validating content.

Definitely not very useable for tracking purposes, they will only know about first visit of a user. Even more if sites a and b use the same js library and version, they will only know about the first that a user visit.

Anyway is a bad technical decision not to use a different domain to ensure clients don't need to send extra cookies in the headers.


This is way too paranoid. CloudFlare are a reputable company; they're not blackhats.

I think my comment above was too paranoid, as well, but it's too late to edit. All I was suspicious of was that there might be analysis going on.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: