It seems like the benefits of this would be significant for both user and developer - faster loading, lower bandwidth, quicker builds, etc.
It also seems eminently doable, technically. One possible high-level implementation off the top of my head:
- A standard index of the most popular libs is maintained.
- You pull them in via the script tag, with a new lib="name@version" attribute. Older browsers can use the src tag as a backup.
- SPA build systems like webpack et al are aware of the standard and can just not bundle libs pulled this way, while keeping the require() and import syntax.
I do, however, see some pretty big not-strictly-technical difficulties:
- The index would have to be administered by some entity. Who would that be, and who would pay for it?
- Who defines what the most popular libs are? Whatever system is used, how do you prevent it being gamed to the advantage of particular libs?
- Trust and security. A similar set of issues npm faces. Although that being the case, is this really introducing a new problem? It also seems like a much narrower problem if we're only talking about a small set of very popular libs.
- Maybe some issues around licensing, bundling code into browsers etc. But again, if it's a smallish set of only very popular libs, this seems like it could be dealt with individually for each one and its authors, maybe as a prerequisite for getting included in the index.
These difficulties are not insignificant, but nor do they seem insurmountable and also the benefits do seem genuinely worth it.
It just appears to me to be something that should so obviously have been done, that there must be really good reasons why it hasn't been - maybe including those above, maybe technical, maybe others.
Does anyone know if any serious attempt has ever been made at a proposal to do something like this, even if in a non-standard way by an individual browser vendor?
https://addons.mozilla.org/en-GB/firefox/addon/decentraleyes...
https://chrome.google.com/webstore/detail/localcdn/njdfdhgcm...
The aim is improving privacy - your browser doesn't need to request the libraries from a CDN, so you can't be tracked by them.
This does also bring the performance gains you mention.
Bundling with the browser wouldn’t be enough in my opinion— the ecosystem moves too fast and you’d risk bundling outdated code.
Instead, cache common assets you’ve downloaded naturally while browsing. Use some heuristic to keep the most heavy and frequently used assets cached.
I don’t think you’d need an index. You could instead use a cryptographic hash of the asset’s content as a cache key, and the page can specify further parameters for ensuring the integrity of assets cached from external sources.
Browsers already do cache assets, but to my knowledge privacy concerns result in this cache scoped per-site.
My understanding of one of the primary privacy concerns is that you might cache a dependency which either intentionally or unintentionally acts as a tracker. If site A and site B share a dependency C, either site may be able to deduce that you visited the other by observing whether you had to retrieve C or if it was cached. I’m sure a dedicated party could craft a system which fingerprints users by giving them unique dependencies to cache. I think coming up a solution to this problem would open the door to something like this becoming a real possibility.
And specifying a version range isn’t sufficient, because humans will and do get it wrong - either the one specifying the range or the one publishing a new version.
Ultimately, browsers cache static assets anyways. So this idea only helps the user’s first page load for a given website.
Edit: I’ll add that at my company we looked into preloading assets that are commonly used across teams’ web apps. And this is why we didn’t build it.
It could potentially use the HTML tag's integrity attribute See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/li... for content addressable DHT lookups
I think that a lot of the way websites are developed would have to change to support such an initiative.
It's is the same concept of OS drivers but for the browser ?
Like linux including python by default ?