1063380 - Use official site instead of googleapis.com to whitelist jQuery UI libs

Status: RESOLVED WONTFIX

(addons.mozilla.org Graveyard :: Add-on Validation, defect)

Description

[Andreas Wagner [:TheOne] [use NI]]

We always tell developers that third party CDNs are not considered an official source for JS libraries.

Therefore, let's use http://code.jquery.com/ui/ instead of https://ajax.googleapis.com/ajax/libs/jqueryui/ to fetch jQuery UI files to be whitelisted.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

What about http://jqueryui.com/? Is that non-official? Are the hashes different?

Comment 2

[Andreas Wagner [:TheOne] [use NI]]

Oh I pasted the link from the wrong tab. Of course I meant jqueryui.com (though I think the hashes will be the same). But let's use jqueryui.com anyways.

Thanks Jorge.

Comment 3

[erosman]

Content of 'jquery.com'  & 'ajax.googleapis.com' are exactly the same (same hash)
So it doesn't matter which source is used.
hashes.txt has used above sources.

'jqueryui.com' on the other hand is different.

Please check out my answer in: bug 1063225

Comment 4

[Andreas Wagner [:TheOne] [use NI]]

(In reply to erosman from comment #3)
> Content of 'jquery.com'  & 'ajax.googleapis.com' are exactly the same (same
> hash)
> So it doesn't matter which source is used.
> hashes.txt has used above sources.

Yeah, but let's make the change anyway to be on the safe side.

> We always tell developers that third party CDNs are not considered an official source for JS libraries.

... so let's not do this ourselves.

Comment 5

[erosman]

As I mentioned on IRC, Libraries are static and do not change over time. I think it is worthwhile considering to keep a local copy and generate Hashes from local files. It would greatly simplify jslibfetcher.py 

Using the http method, does not work for libraries that come in zip.

Just an ides ....