[whatwg] Browser Bundled Javascript Repository

> But linking external scripts does have a problem in that you have to  
> trust the site you're linking not to change the script (or get  
> compromised) to add malicious features. A cryptographic hash of the  
> file you expect could be used to mitigate this issue, perhaps for  
> other types of file too. And such a feature could fall within  
> HTML5's purview.
>
> For example:
>
>    <script type="text/javascript"
>        src="http://www.sharedscripts.com/jquery-1.2.3.js"
>        contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d">
>    <link rel="stylesheet" type="text/css"
>        src="http://www.sharedscripts.com/nice-4.5.6.css"
>        contenthash="sha1:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33">


This idea makes sense, but it would still need a fallback script if  
the linked to version doesn't work, and you could use that to point to  
the backup file on your own server (equivalent to the src="" attribute).

    <script type="text/javascript"
        src="http://www.sharedscripts.com/jquery-1.2.3.js"
        contenthash="sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d"
        fallback="js/jquery-1.2.3.min.js">

However, this wouldn't work in older browsers.  Thats why I wanted the  
"proactive" search to be something other then the src attribute, have  
that used first, and fallback to the src attribute in case something  
goes wrong.  This would degrade gracefully.

- Joe

Received on Tuesday, 14 July 2009 09:03:15 UTC