Minify inline

[javdl]

Minify styles & scripts which are placed inline. For example the Google Analytics code will be minified.

[Garbee]

As far as I know, we don't use handlebars in the project. We shouldn't add exclusions to things not used in the repo.

[surma]

@Joostvanderlaan Thanks for the effort. I definitely agree that we should minify inline stuff as well. Both @Garbee and myself commented on a few things that need addressing before we merge, tho :)

[javdl]

@surma I just pushed the changes you and @Garbee suggested, integrated them to the best of my knowledge.

[Garbee]

This either needs to be removed or we need to do something custom like the cssSelector one. We should not have ignores for things our repo doesn't use.

[Garbee]

Still one of the old issues exists.

Thinking about this though, there is one problem doing this. Content Security Policy allows you to pre-hash inline scripts and styles to validate they are safe to run. Auto-minifying is going to change the hash value for developers. This increases the barrier to integrating CSP for developers to realize what is going on.

We should be very mindful adding this in. Is it really providing a major enough benefit to make developers adopting CSP possibly be very confused as to why things aren't working?

[javdl]

@Garbee CSP suggests outlining all scripts (styles are more or less OK). Only when it's really not possible to outline scripts you may inline them with a hash. But since the GA script has the variable UA-XXXXX-X in there, I don't see hashing happening for anyone using WSK unless some Gulp task is included to create that hash for for them.

<script nonce=EDNnf03nceIOfn39fn3e9h3sdfa>
  //Some inline code I cant remove yet, but need to asap.
</script>

[Garbee]

The actual specification shows no preference to suggesting external scripts. However, since the nonce attribute is required on them, we can do an easy filter out of those scripts in the config. That is what we should do by default to help avoid this problem.

[surma]

My 2¢: Hashing for CSP should be done after minification in the build process. To much data can be saved to justify skipping minification on inline styles and scripts.

[Garbee]

Is there a gulp plugin that can reasonably do that?

I believe the Pagespeed mod for apache and nginx can, but it is a beast of its own in terms of page control.

[javdl]

FYI, my PR for data-do-not-minify is merged into gulp-minify-inline

[surma]

cc @gauntface @addyosmani

[gauntface]

This gets a +1 from me.

If CSP becomes an issue for someone, I'd expect them to be aware of ahead of time and address with additional tooling as needed (or simply remove the steps in this task).