Closed thazarik closed 6 years ago
matteofigus
commented
6 years ago Hi, I think we should totally allow one or both. Having that stuff driven by the registry sounds like the best option but may require a bit of coordination. The oc.conf override instead seems quite an easy win - would you be able to attempt a Pull Request for that?
thazarik
commented
6 years ago Hi @matteofigus. Sure, working on that now. Will check back in a bit.
thazarik
commented
6 years ago The oc.conf approach actually opens up a security hole, it'd be possible for anyone with access to the browser to fetch his own script instead (assuming cors headers are left as permissive as they are currently).
The safer alternative has already been implemented, do not load jQuery if already present.
I figure we should do the same for HandleBars at the minimum.
Folks, this refers to the hardcoded CDNJS_BASEURL in oc-client.js.
Right now it appears there's no clean way to override that, so that I may pick up jQuery from my own CDN instead. The use case is driven by enterprise deployments that aren't keen on opening up to external CDN yet.
Any pointers on driving this via registry, or via browser oc.conf would be really useful.