这是indexloc提供的服务,不要输入任何密码
Skip to content

[fix] move initial "JS is enabled?" (no-js) to client side #5129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 21, 2025
Merged

[fix] move initial "JS is enabled?" (no-js) to client side #5129

merged 2 commits into from
Aug 21, 2025

Conversation

@return42
Copy link
Member

@return42 return42 commented Aug 19, 2025

To avoid an unsafe-inline in the CSP header, the JS code must be moved to the
client side [1].

The <script> tag at the end of the HTML originates from the old implementation
of the JS client. Since PR-5073 [2] was merged, the type is now module, and
the tag must be moved to the beginning of the HTML.

We need to inline this "JS is enabled?" thing to prevent layout shifts and
temporary "no JS enabled" visuals as ESM scripts loads and evals everything
deferred from initial DOM render [3]

That's true in theory, but in practice, this effect is unnoticeable because it's
masked by another effect (which we can't avoid): If we load the page with a
severely throttled connection, the HTML (result list) takes a long time to
load. Then the CSS is loaded, which also takes longer. Until the CSS has loaded,
there's no layout. A layout shift is therefore largely determined by the loading
of the HTML and CSS itself.

The running times of the ESM script can be neglected compared to the loading
times of HTML & CSS.

[1] searxng/searxng-docker#424 (comment)
[2] #5073
[3] searxng/searxng-docker#424 (comment)

@return42 return42 requested a review from inetol August 19, 2025 09:04
inetol
inetol reviewed Aug 19, 2025
View reviewed changes
@return42
[fix] move initial "JS is enabled?" (no-js) to client side
9acc4ac 
To avoid an `unsafe-inline` in the CSP header, the JS code must be moved to the
client side [1].

The `<script>` tag at the end of the HTML originates from the old implementation
of the JS client. Since PR-5073 [2] was merged, the `type` is now `module`, and
the tag must be moved to the beginning of the HTML.

> We need to inline this "JS is enabled?" thing to prevent layout shifts and
> temporary "no JS enabled" visuals as ESM scripts loads and evals everything
> deferred from initial DOM render [3]

That's true in theory, but in practice, this effect is unnoticeable because it's
masked by another effect (which we can't avoid): If we load the page with a
severely throttled connection, the HTML (result list) takes a long time to
load. Then the CSS is loaded, which also takes longer. Until the CSS has loaded,
there's no layout. A layout shift is therefore largely determined by the loading
of the HTML and CSS itself.

The running times of the ESM script can be neglected compared to the loading
times of HTML & CSS.

[1] searxng/searxng-docker#424 (comment)
[2] searxng#5073
[3] searxng/searxng-docker#424 (comment)
@return42
[build] /static
d5390a0
@return42 return42 merged commit 22c2c93 into searxng:master Aug 21, 2025
7 checks passed
@return42 return42 deleted the fix-unsafe-inline branch August 21, 2025 07:07
This was referenced Aug 21, 2025
Merged
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@inetol inetol inetol left review comments

@Bnyro Bnyro Bnyro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@return42 @inetol @Bnyro