W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 09 Jun 2011 18:03:12 -0700
Message-ID: <4DF16D50.2020707@mozilla.com>
To: "sird@rckc.at" <sird@rckc.at>
CC: John Wilander <john.wilander@owasp.org>, public-web-security@w3.org
On 6/8/11 7:41 AM, sird@rckc.at wrote:
> I don't know about omniture but for Analytics you can put the inlined
> JS inside a .js file.

Since those snippets are mostly boilerplate plus page-specific
chunks doing that a lot can create additional latency some sites
might want to avoid.  The local data could be put into DOM
attributes and then a common site-wide script (taking advantage of
caching) could move the data into the variables required by
analytics or the advertising solution.

In the future HTML dataset attributes could be used, you could even
use those now since if they're not supported natively several
javascript libraries (jQuery et al) have shims.

In Firefox you could even put the data in attributes on the
executing <script> tag itself and then the included 3rd party script
could use use
https://developer.mozilla.org/en/DOM/document.currentScript to get
them. But realistically that would only be practical if
document.currentScript becomes a standard, adopted by other
browsers, and then supported by the various analytics/ad providers.

-Dan Veditz
Received on Friday, 10 June 2011 01:03:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC