Problem/Motivation

The module respects user privacy (see Reasons to avoid Javascript CDNs) by allowing serving the js.cookie.min.js file locally from the libraries folder, with CDN as fallback, but it is not documented.

Note that it is in general not a good idea to load libraries from a CDN; avoid this if possible. It introduces more points of failure both performance- and security-wise, requires more TCP/IP connections to be set up, and usually is not in the browser cache anyway.

From Adding assets (CSS, JS) to a Drupal module via *.libraries.yml > From CDN / externally hosted libraries.

Steps to reproduce

Use uBlock Origin in your browser, and see that the module doesn't work, since a third-party file is requested from jsdelivr.net.

Proposed resolution

Document how to serve the file locally, from Drupal, where the CDN source acts as fallback.

See also Load local library first, use CDN as fallback.

Remaining tasks

Document this feature.

User interface changes

API changes

Data model changes

Issue fork js_cookie-3390616

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

ressa created an issue. See original summary.

ressa’s picture

Issue summary: View changes

Add link to article about CDN.

ressa’s picture

Issue summary: View changes

Include adding the file directly in the module, as a proposed solution.

ressa’s picture

Status: Active » Needs review

Since it is just a single file (js.cookie.min.js), the Tagify solution method of checking for a local library file might be overkill, so here's a proof of concept, with the file included in the module.

ressa’s picture

Issue summary: View changes

Update issue summary, adding inclusion of the file in the module as an option.

danrod’s picture

StatusFileSize
new15.42 KB

Tested this on Drupal 10, I can see that the new library has been added in the module.

ressa’s picture

Thanks for confirming @danrod. If you want to check if the JS Cookie module is loaded and works in another module, you can try Automated Logout which requires the JS Cookie module.

ressa’s picture

Issue summary: View changes

@danrod: I just found out including the file is discouraged, so we probably need to add support for local file, checking if it is available and use the CDN as fallback.

ressa’s picture

Status: Needs review » Needs work
ressa’s picture

Title: Support local library file » Document using local library file, wih CDN as fallback
Component: Code » Documentation
Assigned: Unassigned » ressa
Category: Feature request » Task
Issue summary: View changes

I just discovered that the module already supports a local file, with the CDN as fallback, so the task now is documenting it.

ressa’s picture

Assigned: ressa » Unassigned
Status: Needs work » Needs review
ressa’s picture

Title: Document using local library file, wih CDN as fallback » Document using local library file, with CDN as fallback

Here's a one-liner, which will download the file and create the needed directories, if they don't exist:

curl --create-dirs -o libraries/js-cookie/dist/js.cookie.min.js https://cdn.jsdelivr.net/npm/js-cookie@3.0.5/dist/js.cookie.min.js
ressa’s picture

PS. Use the dev-release of Automated Logout to check if JS Cookie module is loaded, the current release (8.x-1.4, July 2022) doesn't use it.

herved’s picture

I'm coming from autologout #3449275-15: JS Cookie needs to be enabled automatically when updating
To avoid CDNs (not compliant with our CORS policy) I added js-cookie as a composer repository.

{
    "type": "package",
    "package": {
        "name": "js-cookie/js-cookie",
        "version": "3.0.5",
        "type": "drupal-library",
        "dist": {
            "url": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz",
            "type": "tar"
        }
    }
}

Then composer require js-cookie/js-cookie

PS: the github release assets of js-cookie do not contain the compiled zip, not sure why... so I used npmjs here.
----

Perhaps we could add a composer.libraries.json and document in the readme to either use wikimedia/composer-merge-plugin or add the repository in your main composer.json.
Several projects do this, e.g: https://www.drupal.org/project/anchor_link

ressa’s picture

Thanks @herved, that's another option. Alternatively, contrib modules could pragmatically bundle scripts directly in the module, making it easier for the end users? Of course, the module maintainer then need to make sure the script is kept updated.

Collapsiblock maintainers recently decided to include a needed library in the module, making life easier for the end user:

As of 4.2.0 the slide-element library is now bundled into the built code. It is no longer necessary to mess around with CDNs or downloaded libraries.

From #3392947-8: Update readme to reflect JS library download no longer required, see also https://git.drupalcode.org/project/collapsiblock#js-library.

For more arguments in favor of this approach, see also #3458611-9: Removing the polyfill-fastly.io library of webform.libraries.yml.

grevil’s picture

@herved there is already npm-asset/js_cookie, which is usually used for third party libraries in Drupal. See https://www.drupal.org/docs/develop/using-composer/manage-dependencies#t....

UPDATE: js-cookie/js-cookie is also abandoned:
This package is abandoned and no longer maintained. The author suggests using the npm-asset/js-cookie package instead.
So we should definitly document the npm-asset library instead.

UPDATE 2: Wrong js-cookies...

But I am a big fan how this is solved in Photoswipe using hook_requirements(), together with 2 different library definitions (one using the cdn script the other the local script) and then create a settings page where you can enable using cdn (turned off by default).

Created an issue here: #3471176: Module violates GDPR compliance through requring the js_cookie library via cdn . I think we should leave this issue open and adjust the description, once the other issue is fixed.

ressa’s picture

That's great @grevil, but what about the idea of pragmatically including the library in the module, making life easier for the end user?

grevil’s picture

@ressa, that would probably be the best approach for the end user I agree! But we would need to manually update the js library once in a while.

Although I am quite confused, as to why the npm-asset package and the gihub latest github release are version-vise out of sync! (3.0.5 vs. 1.0.0), seems like they point to two different repositiories. I'll comment that in the parent issue.

ressa’s picture

Thanks for being open to my suggestion! I left a comment in the other issue.

jan kellermann made their first commit to this issue’s fork.

jan kellermann’s picture

I like the approach of webform to use composer.libraries.json and created a new branch and merge request:

- Added composer.libraries.json
- Added js_cookie.install for requirements (see /admin/reports/status)
- Changed js_cookie.libraries.yml and js_cookie.module for a better overview
- Changed README.md from other fork.

I have changed js_cookie.libraries.yml to make it easier for developers to see that there are two different variants. In the previous js_cookie.libraries.yml this was not visible without looking at the code.

jan kellermann’s picture

Issue tags: +GDPR

grevil changed the visibility of the branch 3390616-support-local-library to hidden.

grevil’s picture

Title: Document using local library file, with CDN as fallback » Document using local library file, with CDN as fallback (Module violates GDPR compliance)
anybody’s picture

Status: Needs review » Needs work

Reviewed. As written in the comment, I think a setting "Load library from CDN" explicitly might make sense to get rid of the warning, which otherwise makes sense for GDPR reasons.

For BC the CDN option could then be enabled by default. For new installs it could be disabled by default. That would be my favourite, what do you think @werk21?

grevil’s picture

Let's also document requiring "https://asset-packagist.org/package/npm-asset/js-cookie" as an alternative option!

jan kellermann’s picture

Status: Needs work » Needs review

I updated the MR and commented in MR directly.

@grevil Good idea. I added the command in the README.md.

grevil’s picture

Status: Needs review » Needs work

Great work @jan kellermann! 🎉

Added a few comments, otherwise this looks good to go! 👍

Btw, I just worked with the composer merge plugin today in https://www.drupal.org/project/vuejs, and I have to say, I am a bit underwhelmed! From your comment in #3471176: Module violates GDPR compliance through requring the js_cookie library via cdn :

BTW: For the Bill of Materials software, an installation via Composer is preferable because the composer.lock files can then provide complete information about the software used, known security vulnerabilities and available updates. Therefore, a solution via Composer would be the better way than including the library file.

I thought, this issue would be solved through using the composer merge plugin! But unfortunately it doesn't, since it merely merges the provided "composer.libraries.json" with the main composer.json and since we define the library package ourselves, the maintainer of the module providing the composer.libraries.json now has to manually update the version, provide security information and update any information of the external library used! It is but a wrapper. So I am generally more in favor of the bower/asset-packagist approach, as the version automatically updates, if there is a new version upstream.

BUT, since this library wasn't updated for a while and probably won't get any updates any more anyway, it is perfect for this special use case 👍

ressa’s picture

I do still like the pragmatic approach of simply including the library in the module. It would have taken a few minutes, I believe ... just my 2 cents.

jan kellermann’s picture

Status: Needs work » Needs review

Thank you for feedback! I revised the README.md.

Both integration via composer.libraries.json and Asset Manager are used - both have advantages and disadvantages. If both are offered, users can choose their own way - as long as there is no “Drupal way”.

hmdnawaz’s picture

The PR does not apply to the 1.0.1 and dev versions of the module. Here is the patch for 1.0.1.

ressa’s picture

But it says MR !2 mergeable ...

hmdnawaz’s picture

Then the 1.x branch will be different from the 1.0.1.

ressa’s picture

Yes, they usually are different, since the dev branch is under development, and commits are being added continually ... Or do you mean something else?

grevil’s picture

Status: Needs review » Reviewed & tested by the community

Very nice @jan kellermann!

LGTM!

anybody’s picture

@dave reid: Could we please get this merged and release?
I just ran into #3497981: "cookies is undefined" Console error

dgeo’s picture

Version: 1.x-dev » 1.0.1

Please release this !

ressa’s picture

Version: 1.0.1 » 1.x-dev
grevil’s picture

I am fairly certain @dave reid is either super busy, or not working with Drupal anymore.

Over the last year or so, I tried to contact him via Slack + Mail multiple times regarding #3435760: Automated Drupal 11 compatibility fixes for xmlsitemap, to no avail.

I guess somebody has to create an issue regarding module maintainer ship, to get this issue merged.

danrod’s picture

I suggest forking this project, it seems like the good developers are leaving Drupal, and for a good reason.

anybody’s picture

I opened #3515677: Offering to maintain JS Cookie to push things forward here. No reply from dave reid yet.

ressa’s picture

Fantastic news, thanks @anybody!

danrod’s picture

Thank you @anybody

dave reid’s picture

I'm still here and am working to review this. I'm not sure we need the logic to assume local by default, then CDN, rather than the other way around, since they're functionally the same?

anybody’s picture

Thanks dave, that's great! :)
I think the logic behind was "privacy first" and I like it. But of course you could also argue "usability first". It shouldn't be the focus or a blocker.

ressa’s picture

Issue summary: View changes

Yes, to respect privacy, serving locally as default with CDN as fallback is the recommended method:

Note that it is in general not a good idea to load libraries from a CDN; avoid this if possible. It introduces more points of failure both performance- and security-wise, requires more TCP/IP connections to be set up, and usually is not in the browser cache anyway.
[...]
To search for libraries in a specific order, starting with local files, and if not found using for example a CDN as fallback, see Support for third party libraries in site specific and install profile specific libraries folders, and JS Cookie or Tagify for examples on how to do this.

From Adding assets (CSS, JS) to a Drupal module via *.libraries.yml > From CDN / externally hosted libraries.

@dave reid:

I'm not sure we need the logic to assume local by default, then CDN, rather than the other way around, since they're functionally the same?

I believe that is how it currently works, and that's great. I am not sure if the new code added changes anything? I only focused on the documenting part ...

leducdubleuet’s picture

This patch is working well, would it be possible to have a new release including this as is please?

jan kellermann’s picture

I would also prefer the local library for privacy reasons.

anybody’s picture

Maybe someone could ping @dave-reid? Is he active? Otherwise maybe request (co-)maintainership?
This project is very widely used!

danrod’s picture

Let's request new (co-)maintainership @anybody it seems like the maintainer is not interested or busy to review this project or something.
With all due respect of course.

jan kellermann’s picture

I re-opened the issue #3515677 and suggested giving anybody maintainer privileges.

anybody’s picture

Thanks @jan kellermann! Would be great if you could also assist as maintainer! :)

jan kellermann’s picture

@anybody I would be happy to assist you :-)

danrod’s picture

I would like co-maintainer too, if you don't mind

anybody’s picture

Status: Reviewed & tested by the community » Fixed

Merged! Thank you all so much!

@jan kellermann feel free to tag a new stable release, if you agree to.

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

ressa’s picture

Thanks everyone! It's great to see that this module has multiple maintainers now. Perhaps credits can be given as well?