W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: John Wilander <john.wilander@owasp.org>
Date: Wed, 8 Jun 2011 20:45:21 +0200
Message-ID: <BANLkTimr+VAdB7i2tbRRNUv3pwcMmcpEtA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
2011/6/8 Adam Barth <w3c@adambarth.com>

> > For example:
> >
> > <a href="#settings"
> onclick="_trackEvent('openPage','settings')">Settings</a>
> >
> > If you want this to work with CSP you need to add an id to the anchor,
> > then in another script do:
> > document.getElementById(...).addEventListener(...,function(){
> >    _trackEvent('openPage','settings')
> > }, false)
> >
> > Or something like that (maybe you can make it easier with
> > data-event/data-page attributes or so).
>
> Or just:
>
> $("#settings").live("click", function() {
> _trackEvent('openPage','settings'); });
>
> in jQuery speak.
>

Google actually has a video tutorial where JavaScript coding style for the
web is divided into three levels (
http://code.google.com/intl/en/edu/submissions/html-css-javascript/):

   1. Inline event handlers  deemed bad practice
   2. Inline code blocks  deemed OK practice
   3. Code in files loaded in <head> plus a separate script block with a
   call to an initialize() function at the end of <body>  good practice

I don't think pushing it to file-only is a far stretch. We try to have a
strict three layer design at my org.

We've decided to try to make CSP fly which is why we're starting to hit the
bumps. Web analytics came first.

   /John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee<http://owaspsweden.blogspot.com>
Received on Wednesday, 8 June 2011 18:45:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC