framework icon indicating copy to clipboard operation
framework copied to clipboard
verified publisher icon flarum

Migrate update and install pages away from legacy external jQuery

Open flawedworld opened this issue 3 years ago • 4 comments

https://github.com/flarum/framework/blob/main/framework/core/views/install/update.php#L20

https://github.com/flarum/framework/blob/main/framework/core/views/install/install.php#L69

flawedworld avatar Jun 11 '22 14:06 flawedworld

Hello!

The bundled jQuery package resides within the forum/admin frontends. The installation and update frontends are separate.

Ideally, it'd be better to stop using jQuery altogether in the install/update frontends and just use vanilla JS.

SychO9 avatar Jun 11 '22 16:06 SychO9

It's a fine choice because it's best to not clutter this repo's history with copies of jQuery for the admin area if the plan is to deprecate it anyway.

jQuery 4 is supposedly a lot smaller, but we may be waiting a year or two. As for those external files, jQuery is an OpenJS / Linux Foundation project now so the CDN's aren't going away anytime soon.

gnat avatar Jun 15 '22 11:06 gnat

As for those external files, jQuery is an OpenJS / Linux Foundation project now so the CDN's aren't going away anytime soon.

Currently these files are being blindly trusted to not have been modified. If CDN usage is going to be continued, they need to have subresource integrity deployed.

flawedworld avatar Jun 15 '22 12:06 flawedworld

You're right.

If it's only the 20 or so lines effected, might be worth just converting over to the appropriate querySelector() etc. calls and removing jQuery. Otherwise specifying the integrity hash would be a smart move.

gnat avatar Jun 15 '22 12:06 gnat