- From: Joseph Pecoraro <joepeck02@gmail.com>
- Date: Tue, 14 Jul 2009 12:03:15 -0400
> But linking external scripts does have a problem in that you have to
> trust the site you're linking not to change the script (or get
> compromised) to add malicious features. A cryptographic hash of the
> file you expect could be used to mitigate this issue, perhaps for
> other types of file too. And such a feature could fall within
> HTML5's purview.
>
> For example:
>
> <script type="text/javascript"
> src="http://www.sharedscripts.com/jquery-1.2.3.js"
> contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d">
> <link rel="stylesheet" type="text/css"
> src="http://www.sharedscripts.com/nice-4.5.6.css"
> contenthash="sha1:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33">
This idea makes sense, but it would still need a fallback script if
the linked to version doesn't work, and you could use that to point to
the backup file on your own server (equivalent to the src="" attribute).
<script type="text/javascript"
src="http://www.sharedscripts.com/jquery-1.2.3.js"
contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
fallback="js/jquery-1.2.3.min.js">
However, this wouldn't work in older browsers. Thats why I wanted the
"proactive" search to be something other then the src attribute, have
that used first, and fallback to the src attribute in case something
goes wrong. This would degrade gracefully.
- Joe
Received on Tuesday, 14 July 2009 09:03:15 UTC