Doesn't that kill the possibility that a visitor will already have common content cached when visiting your site for the first time? I know that's not the only reason to use a CDN, but it's a pretty big one.

In my experience, the variety of specific versions of libraries sites are locked to dilutes that performance benefit. Just look at a cross-sampling of sites calling jQuery or <insert your favorite library or framework here>.

In theory, the maximum benefit of a CDN only comes if everyone is on 1) the same version or, similar but different, 2) an evergreen version. And the latter is a big red neon sign screaming "DANGER".

And the parts that everyone is on, became standardized in the browser: document.querySelector, CSS animations, async stuff, etc.

Honestly with all the versions of js libraries and all the CDN hosts, the limitations of cache size and the insane bloat of webpages, I think you're going to have to be pretty lucky to get any beneficial cache hits from unrelated third party sites.

IF you have some stuff you think some visitors will have cached, well then you can use the standard google or jquery CDN or whatever (they're free anyway). For everything else you would run from your own CDN url.

I thought that too but even for the most common stuff like font awesome cdn cannot be trusted - just too many silent outages that were only discovered from user complaining because they impacted different geographical areas differently..

IIRC the argument was that JS bloat is okay "because we can cache common content through CDNs" ... or that's how it felt at the time :)

It sort of/kind of started with jQuery, and in those days including jQuery was considered somewhat bloaty. I think it was about 18kB minified back then? Today their site says it's 30kB.

Either way that's miniscule compared to having a few pictures on your webpage. Having much more JS than that, honestly seems like true bloat to me, which I don't think CDNs should facilitate anyway (so much untrusted unknown unchecked code doing very, very filthy things).

My point is, it wasn't a very good argument back then either, but it became normal because people did it for other reasons, too.

The main reason people did it, was that it was just so much easier. Just copypaste those 1.5 lines of code in your <HEAD> section to include the latest version of jQuery from Google's CDN, instead of downloading it and putting it somewhere in your source tree and now you've got to keep track that different parts of your codebase written months apart don't accidentally use slightly different versions (because it's ugly, not because it mattered a lot otherwise), etc.

Such convenience!

And if someone asked if it was really a good idea to blindly load 3rd party code and run it in the context of your own domain? Even I told people this sometimes: Well if you can't trust Google serving you secure code, then the web is basically fucked anyway, and we got much bigger problems. Which seemed like a reasonable threat model / security trade off at the time.

And now we're here.

About a week ago Google got caught hosting hostile ads that included cryptocoin miners inefficiently wasting users' electricity for a few bucks (profit insignificant compared to the cost of energy wasted). And apparently Google's offering to blindly host 3rd party JS to all users on the entire Internet everywhere (except the adblockerati), via their fucking ad network, has been expected behaviour for over a year at least and nobody gave a peep when that malfeature appeared.

I still don't know the exact date when or if there even was an announcement when they allowed advertisers "sure do whatever you like to their browsers, run some code, compute stuff, track them in all the ways we haven't dared to deploy publicly, or yet thought of, have at it, you need this, you do you".

So yeah, the web is fucked, we got bigger problems and hell no you can't trust Google any more.

> Either way that's miniscule compared to having a few pictures on your webpage.

A visitor can decide to not display images to improve performance and this will not break the website, blocking the (often not useful) js on the other hand...

> And if someone asked if it was really a good idea to blindly load 3rd party code and run it in the context of your own domain? Even I told people this sometimes: Well if you can't trust Google serving you secure code,

You overlooked the privacy and personal data issue here. It's a bad idea to rely on anything google because it means that you give away the privacy of your visitor to one of the worst offender no less.

> About a week ago Google got caught hosting hostile ads ...

Google has been delivering malware, spyware and that kind of things for years. It was even considered a major vector of infection (usually someone looked for flash on google and clicked on the first results which happened to be a google ad for an infected flash installer)

Wouldn't the paths change between providers?

Many providers simply map to your live site structure. So I keep everything on my own site and do the initial upload there. The CDN looks to my site to get the original copy when they receive a request for a file they don't have cached.