Enhancement: Content Security Policy support

marko-js-archive / marko-widgets

[LEGACY] Module to support binding of behavior to rendered UI components rendered on the server or client

http://v3.markojs.com/docs/marko-widgets/

MIT License

141 stars 40 forks source link

Enhancement: Content Security Policy support #115

Open patrick-steele-idem opened 8 years ago

patrick-steele-idem commented 8 years ago

Currently, Marko Widgets renders inline <script> tags on the server, uses eval() and it uses inline styles in a few places. Inline script and styles are not allowed with a strict CSP unless they tags are whitelisted using a nonce attribute. Also, eval() is currently used to parse sanitized JSON data sent from the server for performance reasons, but in CSP mode we should use JSON.parse().

Related issue for Lasso.js: https://github.com/lasso-js/lasso/issues/93

maberer commented 8 years ago

For further information on this specific topic, https://github.com/marko-js/marko-widgets/issues/27 should be considered related to this issue.

patrick-steele-idem commented 8 years ago

Doh. Thanks for the reminder @tindli :)