- From: John Wilander <john.wilander@owasp.org>
- Date: Wed, 8 Jun 2011 20:45:21 +0200
- To: Adam Barth <w3c@adambarth.com>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
- Message-ID: <BANLkTimr+VAdB7i2tbRRNUv3pwcMmcpEtA@mail.gmail.com>
2011/6/8 Adam Barth <w3c@adambarth.com>
> > For example:
> >
> > <a href="#settings"
> onclick="_trackEvent('openPage','settings')">Settings</a>
> >
> > If you want this to work with CSP you need to add an id to the anchor,
> > then in another script do:
> > document.getElementById(...).addEventListener(...,function(){
> > _trackEvent('openPage','settings')
> > }, false)
> >
> > Or something like that (maybe you can make it easier with
> > data-event/data-page attributes or so).
>
> Or just:
>
> $("#settings").live("click", function() {
> _trackEvent('openPage','settings'); });
>
> in jQuery speak.
>
Google actually has a video tutorial where JavaScript coding style for the
web is divided into three levels (
http://code.google.com/intl/en/edu/submissions/html-css-javascript/):
1. Inline event handlers – deemed bad practice
2. Inline code blocks – deemed OK practice
3. Code in files loaded in <head> plus a separate script block with a
call to an initialize() function at the end of <body> – good practice
I don't think pushing it to file-only is a far stretch. We try to have a
strict three layer design at my org.
We've decided to try to make CSP fly which is why we're starting to hit the
bumps. Web analytics came first.
/John
--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee<http://owaspsweden.blogspot.com>
Received on Wednesday, 8 June 2011 18:45:49 UTC