On Nov 3, 2017, at 7:55 AM, Zakero <zak...@gmail.com> wrote:
>
> Looking at this from a "skin" point of view, if a someone needs to include
> a script like jQuery somewhere in <head> then that skin would also need to
> provide CSP support. May or may not be a reasonable expectation.
I believe your worry only comes up if it pulls jQuery from somewhere outside
the repository. If it pulls it via a /file, /doc, or /uv URL, then even the
strictest CSP settings will allow it.
The performance advantages you get by pointing to external CDNs or large
Internet services (e.g. Google) for common resources like jQuery only apply
when the rest of the site is out on the Internet, too. If your Fossil instance
is private, you can pull jQuery from the local repository server much faster
than from Google, despite all their $billions, simply due to the nature of
networking.
Among my proposals in the other thread is modifying Fossil’s current
Cache-Control headers for JS and CSS to give far-future dates by changing the
file name any time the file contents change, which mean such a JS file is
likely to remain in a developer’s browser cache at least as long as one sourced
from a big CDN or Internet property.
(My proposals were written in terms of Expires, but that’s only because I’ve
been administrating HTTP servers on the side for far too long, so I keep going
back to the first tool I learned. Fossil currently uses Cache-Control, which
is at least as good for this purpose and probably better.)
The only tricky bit, then, is that we’d need some kind of syntax for doing this
to user-provided static resources. If I put this into a markdown-formatted
wiki article:
<script src="/uv/jquery.js"></script>
…Fossil could translate that to this in the HTML:
<script src="/uv/jquery.js-91cd02d094"></script>
…where the hex bit is the first 10 digits of the artifact’s hash, where 10 is a
variable, suitably set. :)
That in turn would require that the /uv implementation recognize -$hexnoise and
either look up that specific artifact by hash value, or in the case of /uv,
just strip it off and look it up by name as it currently does.
Having done all of this, the far-future cache control setting would work for
internally-provided CSS, JS, SVG, etc.
_______________________________________________
fossil-dev mailing list
fossil-dev@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
