Hacker News new | past | comments | ask | show | jobs | submit login

> The fastest way to get going with htmx is to load it via a CDN

HTMLX is great and all, but loading it from a CDN is insecure and wrought with problems. Namely, the JS file in question could be hijacked and replaced with a malicious version that can steal data. It's unlikely, but still a plausible scenario. Also: the resource could just 404 and not be available due to work-in-progress scenarios on the CDN side.

I would much rather host it on my own domain that I control.




I haven't done much frontend dev work, but I thought that's what the integrity keyword is for:

  <script
  src="https://example.com/example-framework.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>


The Installing section suggests exactly this for users just getting started: https://htmx.org/docs/#installing

And then it says in the docs right after:

> While the CDN approach is extremely simple, you may want to consider not using CDNs in production.

> The next easiest way to install htmx is to simply copy it into your project.

> Download htmx.min.js from unpkg.com and add it to the appropriate directory in your project and include it where necessary with a <script> tag:

Someone else in the thread was asking about webpack. webpack. What has javascript done to people's expectations?


Using JS off a CDN is not a security issue if you use Subresource Integrity: https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

You can ensure you're always running the version of the script you validated, assuming you even validate the code (which presumably no one does).


> I would much rather host it on my own domain that I control.

You can and they encourage users to consider not using CDNs in production


An odd nitpick given that the CDN example in the documentation protects against exactly this.


It is available for download - see "Installing" under the table of contents. I always prefer to host locally myself and I do this for htmx.


It’s not hard to have it imported from node modules and built with webpack or similar


just download it and serve it from your own site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: