phabricator uses javascript from the external domain wmfusercontent.org. I very doubt this is a good idea.
Description
Related Objects
Event Timeline
wmfusercontent.org domain is owned and operated by WMF for this purpose as a security measure
I'll note that it adds some 10 % to loading times just for the additional SSL negotiation.
http://www.webpagetest.org/result/141017_E1_WTE/1/details/
Um, this definitely looks like some kind of misconfiguration to me. wmfusercontent.org, as the name says, is presumably intended to be used for user-uploaded content like task attachments, with the different TLD serving to make it impossible to steal cookies from the real site using uploaded HTML attachments, and the like – however, currently it is used both for these and for built-in Phabricator styles and scripts. This is not insecure in any way, of course, but it does cause spidey senses to tingle.
If we want to serve static content from a separate domain which has no cookies set (which is reasonable and possibly a performance improvement in some cases), then I think we should use phabricator-static.wikimedia.org, or something like that, and not reuse phab.wmfusercontent.org.