Scott "Red Shirt" Guthrie announced today  that the jQuery and the Microsoft AJAX scripts would be hosted on the Microsoft content delivery network (CDN) – which should speed up the initial loading of these script libraries and save you bandwidth, as you won’t have to host them any more. Being an untrusting soul, errr, security person, I thought I’d take a quick look at how its delivered.
The scripts are hosted on http://ajax.microsoft.com/  which presents the first problem – it’s a microsoft.com domain. When you do any serious browsing to the normal microsoft.com sites you’re going to get a cookie, for example if you login to view things that require Live authentication, or you register for an event or even a session ID. On my machine I have seven cookies that are sent to any microsoft.com site and some of them look like tracking identifiers (the omniID for example is a GUID, then there’s MUID, a cookie called ANON and so on). There’s no way of knowing what these cookies actually do, but they will be sent with requests for the CDN based script libraries which, if Microsoft were so inclined, could be used to track users as they travel through various sites using the CDN. Of course google does the same thing, and has been doing it for longer. The google script for loading other scripts (yes I know) comes from google.com, so the cookie that identifies your searches will be sent when you browse to a site that uses the google script CDN (adsense and google analytics scripts come from different domains, and so those identifying cookies won’t be sent). So there is a potential privacy problem here, if Microsoft were inclined to be evil.