Avoid exernal assets

[salim-b]

Directly includes all external assets (JS, CSS, fonts) from first-party plus switches to the minified version of fuse.js. Only implemented for BS5 (old BS3 is left untouched). All external assets are centrally defined in new YAML file inst/BS5/assets_external.yaml which should make future asset maintenance easy.

Direct asset inclusion might be relevant to people trying to strictly adhere to privacy regulations like GDPR, since otherwise IP addresses of site visitors are sent to the asset CDN operators (based in the US) on page load.

Note that the newly imported openssl package used to validate downloaded file hashes was already an indirect mandatory dependence due to the httr import.

Successor to #1541. Fixes #2099.

[salim-b]

Next step could be asset bundling (and minification) into a single CSS and JS file each to reduce the number of requests on page load. Given there's some adequate toolchain available for this in R (which I don't know of)...

Question: Is there a specific reason why currently the unminified version of fuse.js is used in pkgdown? There is a minified version available on the same CDN... Also switched to minified version in 810dd6f.

[hadley]

@salim-b I'm planning to merge this into pkgdown 2.10, which I'll start working on soon. Thanks for continuing to keep this PR up-to-date!

[salim-b]

I'm planning to merge this into pkgdown 2.10, which I'll start working on soon. Thanks for continuing to keep this PR up-to-date!

Cool!

Let me know if you want me to continue working on the refinements we discussed above.

[jayhesselberth]

@salim-b can you bump the version of clipboard.js as in #2468

[salim-b]

@salim-b can you bump the version of clipboard.js as in #2468

Sure, done.

[hadley]

@salim-b I started from your PR, but it's diverged quite a lot 😄 I think there are two key ideas here now:

• Cache the files in the user's cache directory; in hindsight this seems like the obvious place to do the caching. This should make it fast for interactive exploration, and shouldn't have much of an impact on CI since downloading from a CDN should be fast.
• Create htmlDependencies() so we can use all the existing code for handling the bslib html dependencies (in particularly this now has some nice code to report which files have changed).

[hadley]

I also ended up converting the YAML file to R code; in the end I think this is pretty much a net neutral but at various points in my refactoring it seems to make more sense. And there's something nice to keeping all of the dependency code in R.

[salim-b]

@hadley This looks great!

• Caching files in user-cache dir seems fine to me 👍
• Leveraging the existing htmltools:: dependency handling is more elegant 👍
• Specifying the assets in R code instead of YAML data is fine with me (I don't really care)

What came to mind though is that if we want to support asset URLs that always point to the latest release of an asset like the ones Pandoc (3.2+) uses for MathJax 3¹ and KaTeX², we might want to set integrity = NA_character for them in external_dependencies() and skip check_integrity(). But that's something for a separate PR, I guess.

Footnotes

1. https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js ↩

2. https://cdn.jsdelivr.net/npm/katex@latest/dist/katex.min.js and https://cdn.jsdelivr.net/npm/katex@latest/dist/katex.min.css ↩

[hadley]

@salim-b yeah, I was thinking we'd need to do some extra work for the math handling, but with this in place it'll be easier enough to do in separate PR.