[whatwg] Browser Bundled Javascript Repository
Joseph Pecoraro
joepeck02 at gmail.com
Tue Jul 14 09:03:15 PDT 2009
> But linking external scripts does have a problem in that you have to
> trust the site you're linking not to change the script (or get
> compromised) to add malicious features. A cryptographic hash of the
> file you expect could be used to mitigate this issue, perhaps for
> other types of file too. And such a feature could fall within
> HTML5's purview.
>
> For example:
>
> <script type="text/javascript"
> src="http://www.sharedscripts.com/jquery-1.2.3.js"
> contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d">
> <link rel="stylesheet" type="text/css"
> src="http://www.sharedscripts.com/nice-4.5.6.css"
> contenthash="sha1:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33">
This idea makes sense, but it would still need a fallback script if
the linked to version doesn't work, and you could use that to point to
the backup file on your own server (equivalent to the src="" attribute).
<script type="text/javascript"
src="http://www.sharedscripts.com/jquery-1.2.3.js"
contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
fallback="js/jquery-1.2.3.min.js">
However, this wouldn't work in older browsers. Thats why I wanted the
"proactive" search to be something other then the src attribute, have
that used first, and fallback to the src attribute in case something
goes wrong. This would degrade gracefully.
- Joe
More information about the whatwg
mailing list