Compared to what could have happened this is actually pretty mild.

Everyone these days is so polite.

OK, that was a bit of an exaggeration. But back in my day the web had a whole site high-bandwidth site specifically for educating careless webmasters about the dangers of hotlinking: g o a t s e . c x.

It was used to great effect on things like auction sites where the original page html was not allowed to be changed after listing.

I'm not sure if politeness is the motivator. Imagine if you had done that, for all hotlinks to your script. Then, it turns out a children's website is hotlinking your script.

Some idiot at Company X decides that it's actually your fault, since its your script that did it. To save face, they get an expensive lawyer to sue you. Next thing you know, you're a registered sex offender.

Well that escalated quickly.

Back in the 90's it wouldn't be unthinkable for someone to be criminally prosecuted for a goatse-ing a minor in Snookelatchee County, Kentucky.

Please learn the difference between hyperbole and literal statements.

That was exactly what I had in mind when I wrote that.

I once hotlinked an image posted on a forum, and they served the same link you provided.

I never did a hotlink again.

There was a post on reddit to a site that had hotlinked an image for it's background who suddenly found itself with a pornographic background.

The banner has even a close button, so it will not stay on top forever. It's extremely polite.

I had this exact same thing happen last week in one of my wordpress site, I had just inserted that script when developing to try it out and forgot to change it for a local file or a CDN afterwards.

As someone affected by this, I learned my lesson, but I was very happy about how the hotlinking was handled, I was a clear impossible to miss warning, with a clear and easy solution, I though it was only fair.

Well, I see it as a great reminder why one shouldn't trust scripts hosted elsewhere into one's site.

I use Google and I'm comfortable with that.

The nice part about using Google is first off it offers speed advantages (as most people will have Google's JQuery lib cached already), secondly I don't expect Google to get hacked, and lastly we have Google's permission to do exactly that.

So, do you think your visitors have a problem with Google knowing about every visit to your site?

It is specifically mentioned in our privacy policy. We also use Google Analytics, so that ship has sailed.

Nonsense. Users can very likely block Google Analytics on your site with ease, and without impacting the rest of your site's functionality. That's not necessarily the case when more critical content is served from Google's servers.

Regardless of what your privacy policy states, the responsible thing to do is to at least give your users the option of opting out of such tracking by third-parties, all while still leaving your site usable.

If Google's CDN is unavailable it falls back to a local copy we host. Inline with this example: http://stackoverflow.com/questions/5257923/how-to-load-local...

> the responsible thing to do is to at least give your users the option of opting out of such tracking by third-parties

Reddit do this. You can choose to load their js from their own servers rather than a CDN.

Indeed, it's the funniest public sevice announcement I have seen in a while.

But if you do that you have to configure your server for it, and your server still has to handle the request. The file is 2KB gzipped; Serving the file or a redirection is basically the same thing.

Maybe it would be better to reply with 403 instead?

Polymath might not be the only ones hotlinking... the alternative would be to track everyone who is hotlinking, get their email, and then notify them. Many will likely ignore this email.

I hope referrals will be disabled anytime soon. Firefox has AFAIK disable referrals to other domains by default.

In the case of Javascript hotlinking, that'll do approximately diddly squat though.

  if(/whatispolymath/.exec(location.href)) alert("...");

Or better yet, test if it's not your domain, then show a message.

That is a way better, IMO.

Or just send the owner an email: http://www.whois.com/whois/whatispolymath.com

So why should it be the responsibility of some guy who's bandwidth is getting stolen to be nice about notifying the guy who's stealing it - why didn't the site owner feel any obligation to send the .js hosting site owner an email asking if it was OK first?