Yes, browsers do cache SSL resources, so please use Google's CDN

19 Jan 2011

I recently came across a blog article titled Cripple the Google CDN caching with a single character. It was written by David Ward, who’s an author of some well-known Javascript books. His main point is that you shouldn’t link to the SSL versions of javascript libraries on Google’s AJAX CDN because of performance reasons. He claims that browsers don’t cache resources served through SSL.

This is a completely incorrect statement. All browsers cache SSL content, as long as you specify the correct Cache-Control headers.

A simple curl request reveals that jquery served from Google’s CDN has Cache-Control public.

curl --HEAD
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 15 Nov 2010 20:40:52 GMT
Date: Fri, 14 Jan 2011 01:13:42 GMT
Expires: Sat, 14 Jan 2012 01:13:42 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
Cache-Control: public, max-age=31536000
Age: 494847
Transfer-Encoding: chunked

Notice the Cache-Control: public header. Moral: be careful putting blind trust in blog articles. And, use Google’s CDN so we can all browse the web faster.


Update 1

David’s responded by saying that the real problem (and the point of his blog article) is that there are identical versions of each resource in Google’s AJAX CDN, one of which is served through HTTP, and the other is served through HTTPS, i.e:

This causes cache fragmentation because sites may choose either option. However, if you visit Google’s AJAX CDN, they seem to be listing only the HTTPS url. This is a good compromise because it avoids the mixed security issue outlined in David’s post.