W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: <sird@rckc.at>
Date: Fri, 25 Feb 2011 10:23:45 -0800
Message-ID: <AANLkTi==i2K4HShFzJVEW_mrVZ==Uf_A+6q9evEP5JEZ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
It's a static script that always does the same.

That would be true, once every month, or every 3 months, or every
year. Caching ftw
-- Eduardo




On Fri, Feb 25, 2011 at 10:09 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>
>> <script src="otherscript.js">
>> {"json":"here"}
>> </script>
>>
>
> The network fetch that loading an external script could require is even slower.
>
> -devdatta
>
>> otherscript.js:
>> var scripts = document.getElementsByTagName("script");
>> var lastScript = scripts[scripts.length-1];
>> var configStr = lastScript.innerText || lastScript.textContent;
>> var config = json.parse(configStr);
>>
>> Or Firefox can provide this:
>>
>> <script for="something">{"json":"here"}</script>
>>
>> Which can be accessed later on with:
>> window.config.something.json
>>
>> Or something like that.. but don't make CSP less-safe please :)
>>
>> Greetz
>> -- Eduardo
>>
>>
>>
>>
>> On Fri, Feb 25, 2011 at 9:56 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>>>
>>>>  <mytag id="sql_stuff" value="<PHP-code-here>" />
>>>>
>>>> then later in script (externally loaded, static)
>>>>
>>>>  foo(document.getElementById("sql_stuff").getAttribute("value"))
>>>>
>>>
>>> This is really slow compared to a direct call.
>>>
>>> -devdatta
>>>
>>>
>>>
>>>> -Dan Veditz
>>>>
>>>
>>>
>>
>
Received on Friday, 25 February 2011 18:25:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 18:25:25 GMT