hilbix / js Goto Github PK

This should be investigated.

loadmain tries to import loadmodule and for some reason this does not work because the file is not found (so the .js is not automatically added).

Perhaps this has something to do how I did my tests. AFAICS I tested this with Apache, and it might be that Apache automagically adds the .js suffix for the requested MimeType. Or whatever. I really have no idea because I know it worked at my side. Somehow. But not on some other site which uses NginX.

Adding .js fixes the issue for me. But I am still puzzled why this happened.

This sadly exposes some other things. The .js extension is a PITA.

Hence the probably correct fix is to remove the .js artificially. Which will make things more easy to access (as . is used in JS for object notation) even if .js is used by purpose. This would only make trouble if you have a module named NAME and a second module named NAME.js which are both JavaScript. But is this really something valid to consider? I do not think so.

This probably is a breaking change.

When using E.A.target() this should set the .attr({rel:'noreferrer noopener'}) by default.
There can be some option which reverts this, such that the opened target can refer to opener/referrer.

This is good for following reasons:

• As a nobrainer, it should always be as secure as possible.

  • When A is used with a .target this usually means another window is opened, not the same window
  • When this new window is on a different origin, it should not be able to access window.opener nor the referrer by default for privacy reasons

• If it is needed that the option is not set, you will quickly spot the problem and can fix it by adding the appropriate option.

  • The other way round it is usually just forgotten

Hence adding both options by default is the definitive way to go. Even that this may be a breaking change.

Also noted:

If E.A uses some href which is not some absulute/relative path, this also should be automatic.
Again the argument is the non-brainer. Things always should be secure by default.

Subresource Security

I had trouble including those beasts. As a module. And not as a module. OTOH cry/md5c.js and cry/sha256c.js work. However not as a module, too.

I am currently undecided if this is a bug, a feature or just some incompatibility. NodeJS seems to be happy with both. For unknown reason (looks like require is a declared variable there, because we are 'use strict').

However I put it as a bug. Because it would be good to be able to load them as a module, which is not implemented in the *c.js variants and will never be implemented there.

But ..

.. this, again, means that I have to re-invent a wheel, because, AFAICS, babel leaves me without support here.

FF has no Buffer, so this currently only works in NodeJS

Subresource Security