Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

occt-import-js fetched each time from the CDN #473

Open
rafal-zelek opened this issue May 28, 2024 · 4 comments
Open

occt-import-js fetched each time from the CDN #473

rafal-zelek opened this issue May 28, 2024 · 4 comments
Labels
engine

Comments

@rafal-zelek
Copy link

Hey!
I noticed that each time I generate an STP file preview, the occt-import-js dependency is fetched from the CDN:

image

Which is changed here:
5f05ad5#diff-10ce331dec07905c5bdf64cc83d98b2892c57ac7e13312e5dae82057e64cbc65R115

What is the reason that it's not embedded anymore? Why can't it be a regular dependency?
Is there something that prevents to at least cache the result?
Idk if that's a safe thing to fetch the JS on the fly from the external sources, it's not performant either.

I could try to work on that, but I lack some context here.

Cheers.
@kovacsv
Copy link
Owner

kovacsv commented May 28, 2024
edited
Loading

What is the reason that it's not embedded anymore?
We maintain this project in our free time with close to zero financial benefits. Thousands of users are visiting the site each day, and it costs us money. Serving huge libraries such as occt-import-js would cost us even more, so this is why we decided to go with an external CDN. Feel free to donate if you would like to support the development.

Is there something that prevents to at least cache the result?
Your browser must cache the result. Please check if you didn't disable caching in the developer console. Chrome does its job fine for me.
image

Idk if that's a safe thing to fetch the JS on the fly from the external sources, it's not performant either.
It's safe, this is how most of the pages work. If you don't disable caching, it is more performant than serving it from our server.

@rafal-zelek
Copy link
Author

rafal-zelek commented May 29, 2024
edited
Loading

Thousands of users are visiting the site each day, and it costs us money.

U mean serving the OV lib on https://3dviewer.net/ ?
Maybe putting the whole website JS bundle on some CDN could cut the cost if thats the issue.

Or maybe we could cache in the JS this let occt = await occtimportjs (modulOverrides); result somewhere and the engine could check if thats already loaded, so that lib users could embeed occtimportjs themselves as a dependency. Or we could just make the url configurable so that I could serve that by myself.

You are right that the website will cache the library, I'm just concerned that my system users will need to reach the external site that executes the JS code on their browsers. I'm just trying to minimize the potential risks.

@rafal-zelek
Copy link
Author

There is more information about potential risks:
https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html

@rafal-zelek
Copy link
Author

There is a new anecdotic proof that including JS from other services could lead to some security threats.
https://www.theregister.com/2024/06/25/polyfillio_china_crisis/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
engine
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kovacsv @rafal-zelek