Re: CSP : inline functions ? from sird@rckc.at on 2011-02-25 (public-web-security@w3.org from February 2011)

From: <sird@rckc.at>
Date: Fri, 25 Feb 2011 10:07:28 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTikXr1jgU0M+yNwtXhZoMwgXnprKG6ZDRr-Zvjgs@mail.gmail.com>

And if people really want to put stuff inside <scripts> they can do.

<script src="otherscript.js">
{"json":"here"}
</script>

otherscript.js:
var scripts = document.getElementsByTagName("script");
var lastScript = scripts[scripts.length-1];
var configStr = lastScript.innerText || lastScript.textContent;
var config = json.parse(configStr);

Or Firefox can provide this:

<script for="something">{"json":"here"}</script>

Which can be accessed later on with:
window.config.something.json

Or something like that.. but don't make CSP less-safe please :)

Greetz
-- Eduardo




On Fri, Feb 25, 2011 at 9:56 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>
>>  <mytag id="sql_stuff" value="<PHP-code-here>" />
>>
>> then later in script (externally loaded, static)
>>
>>  foo(document.getElementById("sql_stuff").getAttribute("value"))
>>
>
> This is really slow compared to a direct call.
>
> -devdatta
>
>
>
>> -Dan Veditz
>>
>
>

Received on Friday, 25 February 2011 18:08:23 UTC