W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 25 Feb 2011 10:09:12 -0800
Message-ID: <AANLkTin-CB77WzQtbcYo6vFOu-TDDpKAawg8Fy7cL0AX@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
>
> <script src="otherscript.js">
> {"json":"here"}
> </script>
>

The network fetch that loading an external script could require is even slower.

-devdatta

> otherscript.js:
> var scripts = document.getElementsByTagName("script");
> var lastScript = scripts[scripts.length-1];
> var configStr = lastScript.innerText || lastScript.textContent;
> var config = json.parse(configStr);
>
> Or Firefox can provide this:
>
> <script for="something">{"json":"here"}</script>
>
> Which can be accessed later on with:
> window.config.something.json
>
> Or something like that.. but don't make CSP less-safe please :)
>
> Greetz
> -- Eduardo
>
>
>
>
> On Fri, Feb 25, 2011 at 9:56 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>
>>>  <mytag id="sql_stuff" value="<PHP-code-here>" />
>>>
>>> then later in script (externally loaded, static)
>>>
>>>  foo(document.getElementById("sql_stuff").getAttribute("value"))
>>>
>>
>> This is really slow compared to a direct call.
>>
>> -devdatta
>>
>>
>>
>>> -Dan Veditz
>>>
>>
>>
>
Received on Friday, 25 February 2011 18:11:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 18:11:07 GMT