包括本地和远程JavaScript库 [英] Including local vs. remote javascript libraries
问题描述
我正在使用jsSHA 1.3.1,我在这里下载并用于学习项目在我的localhost上。它提供的结果与我通过引用遥控器获得的副本略有不同,如下所示:
< script src =https ://raw.github.com/Caligatio/jsSHA/master/src/sha1.js>< /脚本>
由于@Andreas 这里。
<但它给我留下了一个新问题:包含副本与引用远程js库的理由是什么?它是否像'推销'库一样,使我的应用程序与代码中的后续更改隔离开来?
如果您的应用程序可用于WWW,你应该考虑使用一个众所周知的外部URL。
< script type =text / javascript
src =http://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js
< / script>
以下示例从google服务器获取jquery 1.8.0的缩小版本。
-
此方法获得的好处来自缓存:
-
您不希望首次访问潜在用户对您的网站造成缓慢和失望。如果您的第一次访问者访问了我的网站,该网站使用此URL作为jQuery,她的浏览器可能已经缓存了它,因此无需加载它。
-
使用不可变的版本化资源(jquery / 1.8.0而不是像jquery / current这样的资源)都可以帮助开发人员不必追踪他们的生产代码中的重大变化,并确保可以缓存这些资源。
-
如果必须下载资源并且URL托管在CDN上,则可能会降低延迟,因为资源可能会从靠近用户网络的服务器加载。示例中的URL托管在作为CDN的Google Hosted Libraries上。有关详细信息,请参见 https://developers.google.com/speed/libraries/devguide 。
-
-
在此类讨论中经常出现的另一个论点是,当必须下载资源时,您将如果资源不在您自己的服务器上以及您的页面包含的10多个资源,那么能够获得更好的客户端资源加载并行性,因为浏览器限制自己加载到资源形式的少量数据(在现代浏览器中为6左右)同一台服务器。
-
如果您的互联网范围内的Web应用程序对安全性至关重要,您必须尽可能多地控制它,以便安全地管理(并且静态不变或接近不可变资源相对容易安全管理)。
- 如果我的银行通过HTTPS运行的电子银行应用程序依赖谷歌的HTTP服务器进行服务,那么它将授予谷歌权限在其电子银行应用程序的客户端部分,实际上消除了与服务器的HTTPS连接的所有好处。流氓客户端脚本无法做到的事情很少...
- 如果我的银行通过HTTPS运行的电子银行应用程序依赖谷歌的HTTP服务器进行服务,那么它将授予谷歌权限在其电子银行应用程序的客户端部分,实际上消除了与服务器的HTTPS连接的所有好处。流氓客户端脚本无法做到的事情很少...
- 如果您的应用程序是在本地访问的,那么您应该将它包含在您的应用程序中以获得两种性能(访问服务器应该比在延迟和带宽方面访问某些远程服务器更快)和可靠性原因(您是不依赖外部互联网连接和远程服务器启动和运行。)
I'm using jsSHA 1.3.1 which I downloaded here and used in learning project on my localhost. It gives a slightly different result than the copy I got by referring to the remote as follows:
<script src="https://raw.github.com/Caligatio/jsSHA/master/src/sha1.js"></script>
The remote copy works well for me, now, thanks to this excellent answer by @Andreas here.
But it leaves me with a new question: what's the rationale for including a copy vs. referring to a remote js library? Is it like 'vendoring' the library, insulating my app from subsequent changes in the code?
If your application is available on the WWW, you should consider using a well-known external URL.
<script type="text/javascript"
src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js"
</script>
This example below gets the minified version of jquery 1.8.0 from google's servers.
The benefit obtained by this method comes from caching:
You do not want the first visit a potential user makes to your website to be slow and disappointing. If your first-time visitor has visited my site which uses this URL for jQuery, her browser will probably have cached it so it will not need to load it.
Using immutable versioned resources (jquery/1.8.0 instead of something like jquery/current) both helps developers not have to track down breaking changes in their production code and ensures that these resources can be cached.
If the resource has to be downloaded and the URL is hosted on a CDN you are likely to get lower latency as the resource will probably be loaded from a server closer to the user's network. The URL in the example is hosted on Google Hosted Libraries which is a CDN. See https://developers.google.com/speed/libraries/devguide for more information.
Another argument often seen in such discussions is that when the resource has to be downloaded, you will be able to get better client-side resource loading parallelism if the resource is not on your own servers together with 10 more resources your page includes because browsers limit themselves to loading up to a small number (6 or so in modern browsers) of resources form the same server.
If your internet-wide web application is security-critical, you must keep control of as much of it as you can securely manage (and static immutable or nearly immutable resources are relatively easy to manage securely).
- If my bank's e-banking application which runs over HTTPS were to rely on google's HTTP servers for serving, it would both be granting Google authority over the client-side part of its e-banking application and eliminating practically all benefits of the HTTPS connection to its servers. There are very few things that a rogue client script cannot do...
- If my bank's e-banking application which runs over HTTPS were to rely on google's HTTP servers for serving, it would both be granting Google authority over the client-side part of its e-banking application and eliminating practically all benefits of the HTTPS connection to its servers. There are very few things that a rogue client script cannot do...
- If your application is accessed locally, you should probably include it in your application for both performance (access to your servers should be faster than accessing some remote server both in terms of latency and in terms of bandwidth) and reliability reasons (you are not relying on the external internet connection and on the remote servers being up and running).
这篇关于包括本地和远程JavaScript库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
