Discussions » Development

@require my own library from 3rd party site -- absolutely taboo?

§
Posted: 2014-09-20

@require my own library from 3rd party site -- absolutely taboo?

Background:

Obviously, it's technically possible to @require any script from any domain within a UserScript, but undestandably many users want to know what's in the UserScript before they install it or update to it.

By requiring an an externally hosted script, users are then required to give you an extra level of trust - that the author won't replace the script with something malicious (that say, collects all of their keystrokes on any/all sites).

This is not such a problem for common libraries like jQuery / SWFObject / three.js -- folks have had a long time to trust their authors. Additionally, these libraries are typically hosted on well known code CDN's -- another small piece of trust-building.

Question:

So then, what to do about biggish JavaScript libraries you'd like to use in your UserScript?

I've been updating a UserScript of mine (Dailymotion: "Playback Quality Control") to work after the Firefox 32.0 sandbox changes. Partly for sandbox-workaround reasons, partly to incorporate a better version of the Flash video player, and partly to improve the features and reliability of the player -- I've had to write a 36KB (760 LOC and counting) library to support my UserScript (i.e: without any changes to the target page).

I know that's not big in the sense of the browser loading the code, but it's much harder to maintain the UserScript with all that extra code cluttering it up. :-/

If I were to publish the library itself on GitHub with all of the usual open source processes around that, that'd be at least a reasonably trustworthy domain -- but do GitHub even allow hot-linking from their repo browser?

Any there's still the content-trust issue. It'd be better if I could specify an version and a (MD5?) signature for the code to be required -- that requires much less vigilence from users after the UserScript and library have been around for a while.

What's the best way to balance the code-size / trust issue?

§
Posted: 2014-09-20
Edited: 2014-09-20

You can try auto sync (or even Github Webhook) to GreasyFork as a library, every update will be kept (Auto sync once per day, and Webhook is few mins after push an update if I was correct; ) and it's absolutely no problem to @require it for you script.

§
Posted: 2014-09-21
You can try auto sync (or even Github Webhook) to GreasyFork as a library, every update will be kept (Auto sync once per day, and Webhook is few mins after push an update if I was correct; ) and it's absolutely no problem to @require it for you script.

So in that case, the library is being served from GreasyFork's HTTP servers.

Putting aside browser-caching of the scripts (presuming that actually occurs for @require content), could this put significant load on GF... is GF fast enough? :-)

Post reply

Sign in to post a reply.