https://github.com/lekoala/silverstripe-defer-backend
Defer your requirements in SilverStripe
https://github.com/lekoala/silverstripe-defer-backend
backend csp defer silverstripe
Last synced: about 2 months ago
JSON representation
Defer your requirements in SilverStripe
- Host: GitHub
- URL: https://github.com/lekoala/silverstripe-defer-backend
- Owner: lekoala
- License: mit
- Created: 2020-12-14T13:11:13.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-02-08T12:34:12.000Z (over 2 years ago)
- Last Synced: 2025-08-06T03:52:44.970Z (11 months ago)
- Topics: backend, csp, defer, silverstripe
- Language: PHP
- Homepage:
- Size: 59.6 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# SilverStripe Defer Backend module
[](https://github.com/lekoala/silverstripe-defer-backend/actions)
[](https://scrutinizer-ci.com/g/lekoala/silverstripe-defer-backend/?branch=master)
[](https://scrutinizer-ci.com/g/lekoala/silverstripe-defer-backend/?branch=master)
[](https://scrutinizer-ci.com/g/lekoala/silverstripe-defer-backend/build-status/master)
[](https://codecov.io/github/lekoala/silverstripe-defer-backend?branch=master)
[](https://packagist.org/packages/lekoala/silverstripe-defer-backend)
[](//packagist.org/packages/lekoala/silverstripe-defer-backend)
[](https://packagist.org/packages/lekoala/silverstripe-defer-backend)
[](https://packagist.org/packages/lekoala/silverstripe-defer-backend)
[](https://packagist.org/packages/lekoala/silverstripe-defer-backend)
[](https://packagist.org/packages/lekoala/silverstripe-defer-backend)
## Intro
This module allows you to define a backend that defers your script by default.
As a nice bonus, it also allows you to set a simple content security policy by adding nonce to your scripts.
## Defer your requirements
In order to defer your scripts, you need to replace in your `PageController` the default backend.
```php
protected function init()
{
parent::init();
DeferBackend::replaceBackend();
}
```
Once this is done, all scripts (provided by modules or yourself) will be deferred. This is great
for performance because all scripts become non blocking and load order is preserved.
Scripts are added in the head, since they are not blocking, the browser can load them while parsing
the html.
### Inline scripts
Deferring inline scripts is not possible as such. But since events are fired once the dom is parsed,
you can wrap your scripts like so
```js
window.addEventListener('DOMContentLoaded', function() { ... });
```
This module automatically does this. Be aware that if you rely on global variables, you might want to
prevent this from happening by adding a comment with `//window.addEventListener` somewhere. This
will prevent our class to automatically wrap your script.
### Css order
This module also check your css files and make sure your themes files are loaded last. This make
sure that your styles cascade properly.
## Themed javascript
You can pass an array of options instead of just "type" parameter.
## Cookie consent
In order to support my [cookieconsent module](https://github.com/lekoala/silverstripe-cookieconsent) you
can now pass an additionnal option "cookie-consent" to your javascript files to load them conditionnaly.
```php
Requirements::javascript('myscript.js',['cookie-consent' => 'tracking']);
```
This also work (kind of) for custom scripts. Since the requirements api does not support anything
outside script and uniquenessID, we append the cookie type to the uniquenessID id
```php
Requirements::customScript($script, "ga-tracking");
```
## Security headers
As a small bonus, this module allows you to add two security headers:
- Referrer-Policy
- Strict-Transport-Security (only if https is enabled)
```php
public function handleRequest(HTTPRequest $request)
{
$response = parent::handleRequest($request);
CspProvider::addSecurityHeaders($response);
return $response;
}
```
## Js modules support
If you want to use [native js modules](https://javascript.info/modules-intro), this can
be done with the following config flag:`
```yml
LeKoala\DeferBackend\DeferBackend:
enable_js_modules: true
```
Js modules are deferred by default as well. In addition, script with `type=module` are only
loaded by modern browser, which can be really nice if you want to use modern browsers
and let other older browsers experience a js-less webpage.
This allows you to use native es6 syntax without bundlers like webpack, etc. at the cost
of not supporting older browsers.
## Content security policy
This module also add random nonce to your scripts. This allows you to setup a simple
Content Security Policy.
Also, a `$getCspNonce` is made available in your templates.
```php
public function handleRequest(HTTPRequest $request)
{
$response = parent::handleRequest($request);
CspProvider::addCspHeaders($response);
return $response;
}
```
Please note that the csp is disabled by default. You might want to enable it with the following config:
```yml
LeKoala\DeferBackend\CspProvider:
enable_csp: true
csp_report_uri: "https://my-url-here"
csp_report_only: false
```
Consider setting this to `csp_report_only` at the beginnning because enabling csp can break your website.
## Compatibility
Tested with ^6
Use previous branch for v4/v5
## Maintainer
LeKoala - thomas@lekoala.be