Not a bug jQuery CDN source uses http only

[Andy.N]

Was switching jquery sources from ACP and notice that only jQuery CDN does not use https protocol which my site use. This results in a browser warning.

 

[Chris D]

That's correct.

It says as much right underneath the option:

Controls the source of the jQuery core JavaScript library. You may host this yourself (Local) or use one of the recommended CDN sources. Google and Microsoft both support HTTPS/SSL, but the jQuery CDN does not.

Solution: Don't use jQuery CDN

 

[Mike]

It seems like the jQuery one does support HTTPS now, though I haven't found any documentation to say it's "supported" though, so I'm hesitant to change it (and we do caveat it).

 

[Andy.N]

It seems like the jQuery one does support HTTPS now, though I haven't found any documentation to say it's "supported" though, so I'm hesitant to change it (and we do caveat it).

Yes, this link works
https://code.jquery.com/jquery-1.10.1.min.js

 

[Adam Howard]

I guess if you're brave, you can always edit the xenforo file to include it yourself and tell us how it goes

I believe you can manually change the hard code in

/library/XenForo/Application.php

 

[Chris D]

It's hardcoded in /library/XenForo/Dependenices/Public.php

A template edit alternative.

<xen:if is="{$xenOptions.jQuerySource} == 'jquery'">
    <xen:set var="$jQuerySource">//code.jquery.com/jquery-1.10.1.min.js</xen:set>
</xen:if>
    <script src="{$jQuerySource}"></script>   
    <xen:if is="{$jQuerySource} != {$jQuerySourceLocal}">
        <script>if (!window.jQuery) { document.write('<scr'+'ipt type="text/javascript" src="{$jQuerySourceLocal}"><\/scr'+'ipt>'); }</script>
    </xen:if><xen:if is="{$xenOptions.uncompressedJs} == 1 OR {$xenOptions.uncompressedJs} == 3">
    <script src="{$javaScriptSource}/jquery/jquery.xenforo.rollup.js?_v={$xenOptions.jsVersion}"></script></xen:if>   
    <script src="{xen:helper javaScriptUrl, '{$javaScriptSource}/xenforo/xenforo.js?_v={$xenOptions.jsVersion}'}"></script>
<!--XenForo_Require:JS-->

If the source is set to jQuery it uses the // prefix which should work on either http or https.

 

[Andy.N]

It's hardcoded in /library/XenForo/Dependenices/Public.php

A template edit alternative.

<xen:if is="{$xenOptions.jQuerySource} == 'jquery'">
    <xen:set var="$jQuerySource">//code.jquery.com/jquery-1.10.1.min.js</xen:set>
</xen:if>
    <script src="{$jQuerySource}"></script>  
    <xen:if is="{$jQuerySource} != {$jQuerySourceLocal}">
        <script>if (!window.jQuery) { document.write('<scr'+'ipt type="text/javascript" src="{$jQuerySourceLocal}"><\/scr'+'ipt>'); }</script>
    </xen:if><xen:if is="{$xenOptions.uncompressedJs} == 1 OR {$xenOptions.uncompressedJs} == 3">
    <script src="{$javaScriptSource}/jquery/jquery.xenforo.rollup.js?_v={$xenOptions.jsVersion}"></script></xen:if>  
    <script src="{xen:helper javaScriptUrl, '{$javaScriptSource}/xenforo/xenforo.js?_v={$xenOptions.jsVersion}'}"></script>
<!--XenForo_Require:JS-->

If the source is set to jQuery it uses the // prefix which should work on either http or https.

Thanks Chris.
I feel the XF default should always use // instead of specifying the protocol.

 

[Chris D]

Once jQuery's documentation is updated to reflect that their CDN is officially supported over HTTPS, I'm sure Mike will change it.

As it stands, until quite recently there was no HTTPS support at all, and currently there's no official documentation to say they support it at all. So it could be experimental, subject to change or other issues.

So, until then, either use Google (I'd recommend this anyway) or my template edit above (at your own risk) if you wish to try the jQuery one.

With or without official support, I don't see any benefit to using the jQuery CDN over Google.

 

[Andy.N]

With or without official support, I don't see any benefit to using the jQuery CDN over Google.

Yes, I don't see any reason for anyone to use jquery CDN when you have Google/Microsoft available. Just something I notice when testing around.
May as well drop it from the next version.

 

[Chris D]

I'd argue there's not much reason to use Microsoft's either...

The benchmarks I've seen suggest that the Microsoft one was very slow compared to Google.

Interestingly, though, for HTTP, it seems that the jQuery CDN was much quicker than even Google in the tests I saw.

But there's other benefits...

If someone were to frequent a lot of XenForo sites, if they're all using the same external jQuery source then that will already be fully cached thus improving load times etc. (albeit marginally).

And I think Google is overall the most popular jQuery source so if you happen to have already been on a site running the same version, then the caching from that site will save it loading on others.

I would actually vote for removing Microsoft and jQuery sources all in all. Maybe with the ability to specify a custom source more easily.

 

[digitalpoint]

Another benefit of using Google... When using HTTPS, they use SPDY as the underlying protocol for delivery if your browser supports it.