Hotlinking to be disabled on January 31, 2011

Posted on by

Lately, we have noticed a significant increase in traffic from sites that hotlink directly to files on our various properties (jquery.com, jqueryui.com, dev.jquery.com, etc.) instead of downloading and hosting them locally or taking advantage of the CDNs that we and others (Google, Microsoft, etc.) provide for this purpose. This behavior has started to negatively affect the performance of our network and is preventing legitimate users from accessing our site at peak times.

In order to improve the performance and availability of our sites for all users, we have disabled hotlinking to images across our entire network. We will be disabling hotlinking to all other types of content (such as CSS and JavaScript) at the end of January. If your site is hotlinking to jQuery domains other than code.jquery.com, please be aware that you must update your site before this deadline or it will stop functioning normally.

For information on upgrading your site to take advantage of one of the available CDNs, or to download jQuery to host on your own server, please visit:

Downloading jQuery
jQuery UI 1.8.7 Release Notes

Thank you for your cooperation!

41 thoughts on “Hotlinking to be disabled on January 31, 2011

  1. Wow, so many great free CDN’s and someone just hotlinks from jquery.com…

    Cant wait to see some qq about how someones site stoped working…

  2. Stupid question:

    Why isn’t the jQuery site using the versions hosted on one of these cdn’s?

    Sure if there was no instance of jquery on the jquery domain that is being hit hard, then it can’t be hit hard?

  3. Adrian’s thought on this is exactly the same as mine. Why is jQuery telling everybody to use the CDN, when they are not themselves? If they did, then there wouldn’t be this problem… wouldn’t it?

  4. @Adrian, Benjamin: The JQuery team (for obvious reasons) hosts most of the respective files themselves and does not use the services of one of the mentioned CDNs for every file.

    But if you take a look at the HTML code for this very page, you’ll see that it is indeed using Google’s CDN for some files.

    Are you really blaming the fact on the JQuery team that some d*mbf*cks are hotlinking these files directly?

    Please, get a clue and happy new year.

  5. Thanks for the better documentation on Google’s CDN for the UI core and each CSS theme. This wasn’t very obvious before. Nice!

    and @robin card – my resolution for 2011 is to resurrect goatse as the preeminent Internet shock meme. kids these days don’t remember goatse. it’s time to place that icon back at the top of the altar of the gods.

  6. Smaller sites might suffer, you should try to limit just abuser sites unless your telling us that the issue is across the board and that limiting the larger sites wont help. Keep in mind there is a lot of documentation out there that makes mention of pulling code directly from Jquery and newbies could get lost.

  7. @Reader: there are no obvious reasons why the jquery team doesn’t follow its own advice. Perhaps you’d care to enlighten us why that is so. If the jquery team did refence the files from code.jquery.com then everybody could hotlink to the same location and it would be what the jquery team is now asking for.

  8. Simple solution people: Use the google CDN or host the files you need yourself, the Jquery team does enough by GIVING us these files for FREE! They shouldn’t have to pay for us to host them.. I’m just sayin…

  9. it would be an elegant solution for the jquery team to setup permanent redirects for the files. and simply point at github for people who want the source. obviously it’s other people’s bad form for hotlinking in the first place, but the redirects would be nice link backs and solve the problem once and for all quickly and efficiently. if it were me i’d prefer the simple 302 solution to another one that required more work and responding to tons of stupid forum requests….

  10. I think that this is a fair solution to the problem. @Jose: I think it should be done across the board, in my opinion the docs are very clear on downloading and using your own copy of JQuery or using a CDN. If there’s specific places in the documentation that are unclear on this point please let people know! Frankly, even a newbie web developer would have to be pretty clueless to be unaware that they shouldn’t hotlink files.

  11. Dan Heberden on said:

    Might I mention that jQuery domains referencing files on their respective servers is _not_ hotlinking.

    Realistically, a very small portion of users are actually doing this. But ( and actually, I find this to be a pretty good thing) since jquery and jqueryui are so heavily used across the web, it’s starting to impact access to the sites.

    Also worth mentioning, hotlinking to jquery.js outside of the CDN isn’t much of a problem at all, but rather, the css files on jqueryui.com ( to hopefully give some scope in the matter ).

  12. Good solution guys. Thanks for all that you do for us for free. It’s too bad that this is even an issue.

  13. piramida on said:

    ara.t.howard, 302 really? so that they keep coming back? first of all, requests could be a problem in itself, second, for a temporary fallback, 301 would be the code to use.

  14. For the most effective means of informing hotlinkers of JS files, make the file send a 401 Unauthorized response with a
    WWW-Authenticate: Basic realm=”Please use a jQuery CDN to host this file.”
    header/value or similar.

  15. @sean, I’d be willing to bet that most of the people who are hotlinking are not technical users and would therefore not see such a header. These hotlinks occur in the background for the most part and would only be visible in their log files. My bet is the people hotlinking don’t ever view a log.

    I’ve never considered hotlinking because all of the documentation I’ve ever read said to download or link to a CDN. If anyone suffers from hotlink disabling it will be because they didn’t do it right in the first place.

  16. @Jason, Oh they’ll see the results the header each time a page on their site loads. There’ll be a username/password popup(or similar, depending on the browser) containing the message like: A username and password are being requested by http://jquery.com. The site says: “Please use a jQuery CDN to host this file.”

    I use this on my site to inform people that may not know they are part of a DDoS attack that they’re requesting something unbeknownst to them.

  17. A little offtopic: please update the home page (hover hint at “light footprint”) the current jquery version is not 24kb compressed, but 26kb.

  18. The download of jquery-1.4.4.min.js is not working on Mac Snow Leopard.
    I believe the problem lies in how it is downloaded. It probably should be downloaded as a zip or gzip.
    When downloading in Safari or Chrome it just displays on another page. Then it must be saved as or must copied from the page and pasted in a text editor. On my web page I link to jquery-1.4.2.min.js and it works fine. I change to the new version query-1.4.4.min.js and will not even respond to the $(document).ready(function().
    I have tested and rechecked this a dozen times. I use bbedit and had zapped and changed encoding, converted to ascii with no luck.

  19. Problem solved using Mac Snow.
    When downloading or even copying the file from Safaria the permissions are not set right. The Unix style permissions are OK, but under Info on the file you must add Admin permission to read file from the /Library/Webserver/Documents directory.
    I also googled before submitting this problem and found many mac users having the same Issue.
    So, right click on file, select file info, on permissions at bottom – press + (add) , dialog comes up with Users & Groups, Select Administrators.
    Note: the default permissions says (everyone with read only) but that is not enough.
    Thanks for such a GREAT library. I also purchased your book (jQuery in Action) which is very helpful.

  20. Drew Wells on said:

    Theme switcher for jQuery UI isn’t available anywhere else. It’s not even available for download, I guess it dies with this. The images all report 403 from every other domain anyways. Thanks!

  21. Well I think there is a lack of compassion here. I am trying very hard to use the CDNs & yet when I use on my SSL site my themeswitcher/themeroller is missing the thumbnails because I kept getting the “mixed content warnings” and back tracked everything to http:// embedded references which I globally searched and replaced in Visual Studio.

    Now I am looking high & low and cannot find posts on this topic, and I have tried every CDN link (I am trying to use plupload) and well when you read 8 jillion lines of code and struggle to learn 8 new technologies a day and everything proclaims to be “simple and easy”… guess what it ain’t….

    So why call us d**(mb M3498F($ and resort to childish behavior when the best solutions are always top down technological solutions.

    It’s not easy to move the world out of the dark ages people, y’know smile on your code warrior brothers… peace… love… sheesh…

  22. Dan Heberden on said:

    Just omit the http from the URL –

    //ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js

    Will load either http or https depending on your current path.

  23. Thanks for the assist. For me the solution was to download themeswitcher.js, and then resolve the pathways to an image folder I created. Thanks again! :))

  24. Oh yes, and 1 by 1 download the images for the theme switcher dropdown by taking the http://jquery blah blah path and then right-clicking and saving to hard drive. I have the feeling this is not a common scenario but if it helps and cyberspace lagged developer I would be happy.

  25. David Licorish on said:

    Annoyingly, the docs for the Themeswitcher widget still instruct you to “…simply add a script tag referencing our plugin…”. All of the URLs in the code point to “http://jqueryui.com/blahblahblah”. And it doesn’t appear on any CDN I’ve found. It would be nice if they just packaged Themeswitcher for download.

  26. I just noticed this post. I have now moved all the files I need to my hosting account. That way the performance and availability won’t be and issue later.

    Nice call.