does it matter if you use an actual .js file when pulling it in as source from one domain to another

Question

Sort of an odd question but I cannot find anything on Google about it. When pulling in a .js file, like in the below code ( Facebook Dev ):

(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src =     "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.4&appId=111111";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));

What is he js.src was something like //connect.facebook.net/en/sdk and on that page was all of the javascript code as just plain text. Putting this between the script tags would make it act as javascript. I have done a few tests and it seems to work fine but I'm convinced I am missing something.

So in a nutshell, is this ok / secure / stable?

Thank you both for the replies. – Webtect Mar 19 '17 at 04:16 — Webtect, Mar 19 '17 at 04:16

score 0 · Answer 1 · edited May 23 '17 at 12:17

2 things. First, your source file is in fact a js file (connect.facebook.net/en_US/sdk.js) with some data afterwards. I tried opening the full and short url and they appear to be the same source file so it shouldn't matter if you just used connect.facebook.net/en_US/sdk.js.

Second, you can have an opening script tag with type="text/javascript" or you can declare it within the script tag itself using the document.createElement('script') way, as you did with (document, 'script', 'facebook-jssdk').

Either way is ok, but there is a great post that explains the differences here

Also, you did it the way the facebook SDK instructions recommend, so I am sure it's secure. ;-)

score 0 · Accepted Answer · answered Mar 18 '17 at 21:11

Both are fine. Simply this add more layers, like avoiding doubleinserting the same script.

This simply creates a DOM element like this:

<script id="facebook-jssdk" src="//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.4&appId=111111" />

Step by step:

(function(d, s, id) { // function with 3 arguments
  // Because of the call below, the arguments are:
  // d = document
  // s = "script"
  // id = "facebook-jssdk"
  var js, fjs = d.getElementsByTagName(s)[0]; // Gets all elements of type "script"
  if (d.getElementById(id)) return; // Checks if any of the existent elements have the id "facebook-jssdk", to not doubleinsert
  js = d.createElement(s); js.id = id; // Creates an element of type "script" and sets the id
  js.src =     "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.4&appId=111111"; // Sets the source
  fjs.parentNode.insertBefore(js, fjs); // Inserts the script
}(document, 'script', 'facebook-jssdk')); // calls the function above with 3 parameters

So yes, it will actually think that the file is a javascript one, as it is loaded the same way as usually with other scripts.

does it matter if you use an actual .js file when pulling it in as source from one domain to another

2 Answers2