Third-party scripting in "waking up" interstitial

From the page where you draw circles by wiggling the mouse around–you know the one:

<script src=""></script>

Glitch, can we talk about this? You don’t have to be inviting Cloudflare into our project’s origin.

This isn’t about whether I don’t trust Cloudflare, or the bowser library, or the author of the bowser library. It’s only that we can do better.

I have a few ideas on how not to give power over our project origin to Cloudflare:

  1. Stop using browser sniffing. The only thing loaded this way is bowser, and it’s used in this way:

    var isValidBrowser = bowser.check({
      ios: "7",
      msie: "10",
      android: "4.4",
      chrome: "16",
      firefox: "11",
    if (!isValidBrowser) {
      throw new Error("Jump to refresh");
    // (later)
    var ws = new WebSocket(/* ... */);

    I’m personally of the philosophy that feature detection is better than browser sniffing. You might write:

    if (!('WebSocket' in window)) {
      throw new Error("Jump to refresh");

    Something like that. There’s materially less to maintain this way, namely you don’t have this table of which browser version support web sockets. Some people say this is more polite to indie browsers too 🤷

  2. Set up subresource integrity. Programmatically hold them to the otherwise social contract of serving exactly that library. In fact, the library’s page on cdnjs allows you to copy a script tag with a subresource integrity hash:

    <script src="" integrity="sha256-tS9rYBF0HnbO+ivkEWS7ybM7ujNLmtFbA6utN7YJ2YM=" crossorigin="anonymous"></script>
  3. Serve the library from your own servers. Because it’s not like we can visit a project hosted on Glitch without trusting Glitch already. Or maybe even inline it into the page, although it is reusable across projects, so maybe not.

Maybe the provider could be just switched to jsdelivr. The Bowser code is there.

Hosing from glitch CDN could also be an option.

Using a cdn basically sacrfices some control for uptime. It’s good to host things from your own server but what if your server goes down and what if other people rely on your server. In most cases, the same server is also hosting webpages that use that file so it wouldn’t be an issue as no one would need that file until the webpages are back up.
Using a 3rd party cdn, comes with it’s benifits. The file will be avalible almost always. You might think it would be an issue if hackers breached a cdn and replaced the scripts with malicious ones but that’s where subresource integerity should help out.