occt-import-js fetched each time from the CDN

[rafal-zelek]

Hey! I noticed that each time I generate an STP file preview, the occt-import-js dependency is fetched from the CDN:

Which is changed here: https://github.com/kovacsv/Online3DViewer/commit/5f05ad5e6a60c6cbc4eb59f329c1a2f429a92acb#diff-10ce331dec07905c5bdf64cc83d98b2892c57ac7e13312e5dae82057e64cbc65R115

What is the reason that it's not embedded anymore? Why can't it be a regular dependency? Is there something that prevents to at least cache the result? Idk if that's a safe thing to fetch the JS on the fly from the external sources, it's not performant either.

I could try to work on that, but I lack some context here.

Cheers.

[kovacsv]

What is the reason that it's not embedded anymore? We maintain this project in our free time with close to zero financial benefits. Thousands of users are visiting the site each day, and it costs us money. Serving huge libraries such as occt-import-js would cost us even more, so this is why we decided to go with an external CDN. Feel free to donate if you would like to support the development.

Is there something that prevents to at least cache the result? Your browser must cache the result. Please check if you didn't disable caching in the developer console. Chrome does its job fine for me.

Idk if that's a safe thing to fetch the JS on the fly from the external sources, it's not performant either. It's safe, this is how most of the pages work. If you don't disable caching, it is more performant than serving it from our server.

[rafal-zelek]

Thousands of users are visiting the site each day, and it costs us money.

U mean serving the OV lib on https://3dviewer.net/ ? Maybe putting the whole website JS bundle on some CDN could cut the cost if thats the issue.

Or maybe we could cache in the JS this let occt = await occtimportjs (modulOverrides); result somewhere and the engine could check if thats already loaded, so that lib users could embeed occtimportjs themselves as a dependency. Or we could just make the url configurable so that I could serve that by myself.

You are right that the website will cache the library, I'm just concerned that my system users will need to reach the external site that executes the JS code on their browsers. I'm just trying to minimize the potential risks.

[rafal-zelek]

There is more information about potential risks: https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html

[rafal-zelek]

There is a new anecdotic proof that including JS from other services could lead to some security threats. https://www.theregister.com/2024/06/25/polyfillio_china_crisis/