Load jquery from CDN

This is to improve performance for the following reasons:

- Browser loads more in parallel due to loading from different servers.
- CDN libraries likely to be already cached as it is referenced by other websites / web apps.
- CDN will deliver lower latencies with the possible exception of intranet.

Fixes #19932

config_defaults_inc.php

@@ -3410,13 +3410,21 @@
  */
 $g_css_rtl_include_file = 'rtl.css';
 
-
 /**
  * meta tags
  * @global string $g_meta_include_file
  */
 $g_meta_include_file = '';
 
+/**
+ * A flag that indicates whether to use CDN (content delivery networks) for loading
+ * javascript libraries and their associated CSS.  This improves performance for
+ * loading MantisBT pages.  This can be disabled if it is desired that MantisBT
+ * doesn't reach out outside corporate network.
+ * @global integer $g_cdn_enabled
+ */
+$g_cdn_enabled = OFF;
+
 ################
 # Redirections #
 ################

core/html_api.php

@@ -365,7 +365,13 @@ function require_css( $p_stylesheet_path ) {
 function html_css() {
 	global $g_stylesheets_included;
 	html_css_link( config_get( 'css_include_file' ) );
-	html_css_link( 'jquery-ui-1.11.4.min.css' );
+
+	if ( config_get( 'cdn_enabled' ) == ON ) {
+		echo '<link rel="stylesheet" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/themes/smoothness/jquery-ui.css">' . "\n";
+	} else {
+		html_css_link( 'jquery-ui-1.11.4.min.css' );
+	}
+
 	html_css_link( 'common_config.php' );
 	# Add right-to-left css if needed
 	if( lang_get( 'directionality' ) == 'rtl' ) {
@@ -439,8 +445,15 @@ function html_head_javascript() {
 
 	echo "\t" . '<script type="text/javascript" src="' . helper_mantis_url( 'javascript_config.php' ) . '"></script>' . "\n";
 	echo "\t" . '<script type="text/javascript" src="' . helper_mantis_url( 'javascript_translations.php' ) . '"></script>' . "\n";
-	html_javascript_link( 'jquery-1.11.3.min.js' );
-	html_javascript_link( 'jquery-ui-1.11.4.min.js' );
+
+	if ( config_get( 'cdn_enabled' ) == ON ) {
+		echo "\t" . '<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>' . "\n";
+		echo "\t" . '<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js"></script>' . "\n";
+	} else {
+		html_javascript_link( 'jquery-1.11.3.min.js' );
+		html_javascript_link( 'jquery-ui-1.11.4.min.js' );
+	}
+
 	html_javascript_link( 'common.js' );
 	foreach ( $g_scripts_included as $t_script_path ) {
 		html_javascript_link( $t_script_path );

core/http_api.php

@@ -162,12 +162,25 @@ function http_security_headers() {
 			$t_csp[] = "img-src 'self' $t_avatar_url";
 		}
 
+		$t_style_src = "style-src 'self'";
+		$t_script_src = "script-src 'self'";
+
+		# White list the CDN urls (if enabled)
+		if ( config_get( 'cdn_enabled' ) == ON ) {
+			$t_cdn_url = 'https://ajax.googleapis.com';
+			$t_style_src .= " $t_cdn_url";
+			$t_script_src .= " $t_cdn_url";
+		}
+
 		# Relaxing policy for roadmap page to allow inline styles
 		# This is a workaround to fix the broken progress bars (see #19501)
 		if( 'roadmap_page.php' == basename( $_SERVER['SCRIPT_NAME'] ) ) {
-			$t_csp[] = "style-src 'self' 'unsafe-inline'";
+			$t_style_src .= " 'unsafe-inline'";
 		}
 
+		$t_csp[] = $t_style_src;
+		$t_csp[] = $t_script_src;
+
 		# Set CSP header
 		header( 'Content-Security-Policy: ' . implode('; ', $t_csp) );
 

docbook/Admin_Guide/en-US/config/html.xml

@@ -67,6 +67,17 @@
 				</para>
 			</listitem>
 		</varlistentry>
+		<varlistentry>
+			<term>$g_cdn_enabled</term>
+			<listitem>
+				<para>
+					A flag that indicates whether to use CDN (content delivery networks) for loading
+					javascript libraries and their associated CSS.  This improves performance for
+					loading MantisBT pages.  This can be disabled if it is desired that MantisBT
+					doesn't reach out outside corporate network.  Default OFF.
+				</para>
+			</listitem>
+		</varlistentry>
 		<varlistentry>
 			<term>$g_main_menu_custom_options</term>
 			<listitem>