Open mythmon opened 11 years ago
shuhaowu
commented
11 years ago Does this apply to the Angular templates? They are wrapped in script tags when minified/in prod.
Is there any particular reason why the current inline scripts will cause a security concern? I'm curious to know.
mythmon
commented
11 years ago I don't know if this applies to <script> tags that aren't JS. I would guess no, but I'm not sure.
The current scripts do not cause a security concern. The security concern is since you display user generated content, there might be XSS attacks possible, so CSP recommends the nuclear option of disabling inline Javascript.
This probably isn't an issue, since Kitsune is pretty good about sanitizing what it sends out. However, the Mozilla Webdev style guide says "No CSS or JS in the HTML". It is a generally good idea.
shuhaowu
commented
11 years ago I would need to inject those data somehow. I'm reluctant to use AJAX as it is a part of the page initialization to have those information.
Data attributes will make everything relatively ugly though that's doable. The alternative is to include a separate JS file that's rendered by jinja2, which is more preferably but that adds an extra request/file to download (which probably is not a big deal).
mythmon
commented
11 years ago Since most of these (except language) are just simple values, I would go with data attributes. I agree that doing it as an AJAX request is a little lame for some of these.
Disabling inline script tags is a great way to boost security, and it is good practice to not use them at all. Data that needs to be passed from the server to the client could be passed in data attributes or AJAX calls.