Why is serving YUI3 over HTTPS so hard?

Yahoo! don’t have a HTTPS YUI3 endpoint. This means that you have to do some work to serve YUI3 if you want to avoid Internet Explorer users from getting warnings about mixed content (and you do). That work, for me at least, was particularly troublesome. However, I eventually found a simple method for solving the majority of the issues I was having.

The royal paths

There are a few semi-official options for running YUI3 over SSL:

None of the above worked for me.

Firstly, the PHP Loader is buggy and requires some code changing to make it work anyway. After a day or two of playing with that I gave up on it.

Secondly, I got distracted by some efforts to do combo services in node.js. This was silly, introducing an enormous new set of dependencies to my Rails app would have been torture.

Thirdly, the dependency configurator is great, but you need to know what you depend on. The chances are, though, you don’t. YUI’s clever loader only loads the bits it needs for the browser it’s running on. If you customise a rollup that works with Chrome, the chances are that it won’t work on Internet Explorer 7 (for example) because you won’t have included the compatibility modules.

The peasant’s path

So how did I solve this horrible problem? I wanted to know exactly which modules were being loaded by the lowest-common-denominator browser to be supported by the project, which was Internet Explorer 7. On a more modern browser, you’d have a nice developer console. Getting such a thing for IE7 is like self harm.

As it happens, I’d installed Fiddler on my IE7 VM to track down some other rogue SSL requests (it later turned out to be a Modernizr bug). Using Fiddler whilst browsing around the site I could find the modules being loaded by YUI. Happily, the compatibility modules don’t negatively impact modern browsers (apart from being an extra download).

Once I’d found the modules being loaded, I curl’d the official YUI3 combo URL into a file (without minification, as this is done in the project in a deployment step). This file could then be served on my project’s own CDN. Sorted.

I should note that the process above sounds really easy. Conversely, it was one of the most frustrating development problems I’ve come across in my career. If you’re listening, Yahoo!, please host your combo service for SSL. Please.

4 Replies to “Why is serving YUI3 over HTTPS so hard?”

  1. Thanks for this note–I’m in the same boat for the same reasons. Since I’m working in ASP.NET I’ll spend a little more time seeing if it isn’t trivial to impliment a combo loader for that platform…but if it isn’t I’m doing what you did.

Comments are closed.