httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd] Reducing js file sizes...
Date Mon, 23 Mar 2009 15:46:20 GMT
On Mon, Mar 23, 2009 at 11:10 AM, Boyle Owen <Owen.Boyle@six-group.com> wrote:
>> -----Original Message-----
>> From: André Warnier [mailto:aw@ice-sa.com]
>>
>> Would that not prevent browser-level caching of the javascript ?
>> If yes, that would probably more than cancel any advantage of the
>> "minification", no ?
>
> I don't know for certain the OP's motivation but it may not be just to save bandwidth...
>
> There is a security imperative for cleaning up JS - comments, and even variable names,
can reveal details about  your server's implementation that may assist an attacker. You can
(should?) go the whole hog and obfuscate the code too (re-write variables to "a", "b", "c"
etc, remove white-space, etc..)
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>

I don't really see how JavaScript could reveal anything about your
server...it's client side, so it shouldn't have anything to do with
your server. I mean, if you're writing things in your comments like
"// Oh yeh, the password to my server is foobar", then that's a whole
other matter, but you probably deserve what you get for that anyway.
Other than that, I'm very curious to know what sort of security
concerns you're thinking of, perhaps it's something I need to address
in my own code.

Anyway, for the OP and others, if your concern /is/ response time, one
thing to keep in mind is balancing network traffic transmission time
with minification processing. If you reduce transmission time from 1
second to half a second, but it takes 3 seconds to do the
minification, you've gained nothing but freeing some bandwidth on the
pipe (which is courteous of you, but probably not what you want). I
think this of particular concern with some of the "better" (read, more
thorough) minifiers which parse the entire script and rewrite it with
small arbitrary variable names, etc., as opposed to just filtering it
like JSMin does. These certainly lead to smaller scripts, but take a
significant amount of extra time to run.

I think a nice alternative is to use a filter that will run the
minification as necessary but simultaneously pipe the output to a file
on the server. For each additional request, it can just check to see
if the minified file is out of date compared to original, and if not,
it can read directly from that file. There will be an initial time
penalty on the first request after modifying the original script, but
from there on out, it /should/ (I think, I haven't actually tested
this) be significantly faster than re-running the minifier while still
getting the reduced size and making sure it's always up to date (as
opposed to serving the minified content statically and having to
remember to regenerate it yourself when you make changes to your
original).


As long as we're on this topic, I'd like to step up on my soap box for
a minute and beseech my fellow web developers to use minification
thoughtfully. Reducing network traffic and speeding up load time is
definitely a worthwhile goal, but we should always bear in mind that
the web should be an open place to exchange ideas and techniques. Few
things about web developing are more frustrating than seeing something
cool on a person's page, and viewing the source only to find it's been
minified to the point of obfuscation. If there are legitimate security
concerns, then obviously that's a separate matter, but if the purpose
is just minification, I think it'd be a real nice touch to precede the
minified content with a brief comment indicating the URL for the
original (unminified) source. Okay, I'll stop preaching now.

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message