From the page where you draw circles by wiggling the mouse around–you know the one:
<script src="https://cdnjs.cloudflare.com/ajax/libs/bowser/1.9.4/bowser.min.js"></script>
Glitch, can we talk about this? You don’t have to be inviting Cloudflare into our project’s origin.
This isn’t about whether I don’t trust Cloudflare, or the bowser library, or the author of the bowser library. It’s only that we can do better.
I have a few ideas on how not to give power over our project origin to Cloudflare:
-
Stop using browser sniffing. The only thing loaded this way is
bowser, and it’s used in this way:var isValidBrowser = bowser.check({ ios: "7", msie: "10", android: "4.4", chrome: "16", firefox: "11", }); if (!isValidBrowser) { throw new Error("Jump to refresh"); } // (later) var ws = new WebSocket(/* ... */);I’m personally of the philosophy that feature detection is better than browser sniffing. You might write:
if (!('WebSocket' in window)) { throw new Error("Jump to refresh"); }Something like that. There’s materially less to maintain this way, namely you don’t have this table of which browser version support web sockets. Some people say this is more polite to indie browsers too 🤷
-
Set up subresource integrity. Programmatically hold them to the otherwise social contract of serving exactly that library. In fact, the library’s page on cdnjs allows you to copy a script tag with a subresource integrity hash:
<script src="https://cdnjs.cloudflare.com/ajax/libs/bowser/1.9.4/bowser.min.js" integrity="sha256-tS9rYBF0HnbO+ivkEWS7ybM7ujNLmtFbA6utN7YJ2YM=" crossorigin="anonymous"></script> -
Serve the library from your own servers. Because it’s not like we can visit a project hosted on Glitch without trusting Glitch already. Or maybe even inline it into the page, although it is reusable across projects, so maybe not.