search

akamai / boomerang

End user oriented web performance testing and beaconing
http://akamai.github.io/boomerang/
Other
1.86k stars 292 forks source link

Setup options that don't require an inline script tag #309

Closed bryanbraun closed 3 years ago

bryanbraun commented 4 years ago

We have a Content Security Policy that doesn't allow any inline-script tags. I'm looking for ways we might implement this without needing to update the CSP (I'd like to avoid setting up a nonce, hash, etc).

The custom build approach in the README, still uses an inline script, but it looks like its only purpose is to prioritize the script tag loading the external file. If I can guarantee priority at the top of the document, is it ok to load it as an external resource instead?

<!-- this is positioned first, before any other script tags -->
<script src="build/my-custom-boomerang-build-with-initialization.js"></script>

Alternatively if I wasn't concerned about synchronous, loading would something like this be safe, or would it loading from an external file affect the integrity of the data?

<!-- this is positioned first, before any other script tags -->
<script src="boomerang.js"></script>
<!-- any plugins I want to include go here -->
<script src="boomerang-init.js"></script>
<!-- Where boomerang-init.js contains the code for the simple synchronous way
  BOOMR.init({
    beacon_url: "http://yoursite.com/beacon/"
  });
-->
ceckoslab commented 4 years ago

Hello @bryanbraun

I know that using a nonce could complicate things at server side but I am wondering why hash won't be a good solution in your case? When using a hash you will need to generate a hash only once and then add it on your CSP header.

bryanbraun commented 3 years ago

@ceckoslab, thanks. The hash is the solution we ended up moving towards.

I do think it would be nice if the docs were more explicit in explaining why an inline script tag is necessary... I'm still not sure why the approaches I proposed above wouldn't work. ¯\_(ツ)_/¯

bluesmoon commented 3 years ago

Your approach would work, but would slow down your page load.

bryanbraun commented 3 years ago

That makes sense. Thanks for the quick responses all. 💯

nicjansma commented 3 years ago

For posterity, the benefits of the Non Blocking Loader Snippet are described here: https://akamai.github.io/boomerang/tutorial-loader-snippet.html

But certainly an inline <script> tag can be used if desired!