[whatwg] Browser Bundled Javascript Repository

Joseph Pecoraro joepeck02 at gmail.com
Tue Jul 14 09:03:15 PDT 2009


> But linking external scripts does have a problem in that you have to  
> trust the site you're linking not to change the script (or get  
> compromised) to add malicious features. A cryptographic hash of the  
> file you expect could be used to mitigate this issue, perhaps for  
> other types of file too. And such a feature could fall within  
> HTML5's purview.
>
> For example:
>
>    <script type="text/javascript"
>        src="http://www.sharedscripts.com/jquery-1.2.3.js"
>        contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d">
>    <link rel="stylesheet" type="text/css"
>        src="http://www.sharedscripts.com/nice-4.5.6.css"
>        contenthash="sha1:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33">


This idea makes sense, but it would still need a fallback script if  
the linked to version doesn't work, and you could use that to point to  
the backup file on your own server (equivalent to the src="" attribute).

    <script type="text/javascript"
        src="http://www.sharedscripts.com/jquery-1.2.3.js"
        contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
        fallback="js/jquery-1.2.3.min.js">

However, this wouldn't work in older browsers.  Thats why I wanted the  
"proactive" search to be something other then the src attribute, have  
that used first, and fallback to the src attribute in case something  
goes wrong.  This would degrade gracefully.

- Joe



More information about the whatwg mailing list