I'm working on a Chrome extension and it's almost done. It uses CryptoJS, though, and I was wondering if it's okay to have those files (eg sha1.js) inside the extension package when I publish it (I downloaded CryptoJS and copied the SHA script file into the extension directory.)
The alternative of course would be to include the URL in the script tag but that didn't work right off the bat.
Any help would be appreciated.
There are pros and cons. Mostly pros.
- A local file will load faster - disk latency is lower than network latency.
- A local file will ensure your extension works offline / in poor connectivity.
- A local file is more reliable in case CDN has problems.
- A local file enjoys additional protection (at least on Windows/Mac platforms), as CWS will generate checksums for all files and a store-installed extension will be stopped from loading if the files are tampered with.
- A local file is safe from network MITM attacks.
- A local file is frozen at a particular version - you don't run the risk of a library updating and breaking compatibility.
- Using external code in main extension code (not content scripts) requires a modification of CSP and a HTTPS-enabled CDN (for the MITM-attack reason).
- Using external code in content scripts may require additional permissions (depending on the CDN's CORS configuration)
However, it will be up to you to keep the library updated.
- If there is a critical bug/exploit in the library, a CDN-served file (if it points to "latest" version) can be silently updated to mitigate that. In case of a local file, you need to learn about the update and apply it yourself.
- A local file cannot be updated without publishing a new version to CWS. An externally-hosted file can be updated independently.