webjars/jquery

Mismatch with CDN

wkaczurba opened this issue · 3 comments

wkaczurba commented

Hi.

I noticed that CDN's jquery.min.js and webjar's jquery.min.js have different SRIs what led me to finding that they have different content.
Here are some more details how to replicate:

https://stackoverflow.com/questions/48820493/webjars-3-3-1-jquery-min-js-different-from-cdns-3-3-1-jquery-min-js-mismatchin

Any ideas/comments?

Cheers
Vito

jamesward commented

Historically we've modified the jquery.min.js to include reference to the map:

//# sourceMappingURL=jquery.min.map

And since we pull files that have version numbers in the names, but then remove the versions, we update the jquery.min.map file to reference the version-less filename.

I'm not sure what the latest is with providing source mapping info to the browser. Maybe we no longer need to add that. For the jquery.min.map maybe we should pull from https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js instead of http://code.jquery.com/jquery-3.3.1.min.js but is that cloudflare location the right place to pull from? Where do they get their versionless files from?

wkaczurba commented

HI James,

Both https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js and http://code.jquery.com/jquery-3.3.1.min.js have the same content. My problem is with the additional line in webjars' JQuery as it leads to different SRI.

In my dev I use Thymeleaf templates in the following manner:

  • webjars' JQuery when running in Spring-Boot
  • CDN's JQUery when browsing Thymeleaf in local browser (no Spring-boot; SRI matches so it is all ok):
  • SRI is the same for the both of the above.

<script th:src="@{/webjars/tether/1.4.3/dist/js/tether.min.js}" src="https://cdnjs.cloudflare.com/ajax/libs/tether/1.4.3/js/tether.min.js" integrity="sha256-mIiWebTG82x+OcV3vUA49ffGDIAJ53uC9jflw5/+REs=" crossorigin="anonymous"></script>

Now I cannot use the above for JQuery, as SRI are different for webjars' Jquery and CDN's Jquery.
Thymeleaf does not have th:integrity attribute that would override normal (CDN's) integrity attribute when running in Spring-Boot. This forced me to rely only on CDN's version (no webjars) as below:

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"
 integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
jamesward commented

I'm releasing 3.3.1-1 with the plain cloudflare sources. We'll see if this causes any issues. For possible future reference, here is what jQuery says about source maps:

as of version 1.10.0/2.1.0 the compressed jQuery no longer includes the sourcemap comment in CDN copies because it requires the uncompressed file and sourcemap file to be placed at the same location as the compressed file. If you are maintaining local copies and can control the locations all three files, you can add the sourcemap comment to the compressed file for easier debugging.