Content Security Policy - Relaxed Restrictions Mode(s)
Brandon Sterne
all of them at once. For example, a site may want to utilize the
content loading features of CSP to help prevent data exfiltration, but
they may not want to be subject to the JavaScript restrictions which are
enabled by default (no inline script, no eval, etc.).
We have made two additions to the spec that we think will address these
needs:
1. Sites can opt-out of "no inline scripts" by adding the "inline"
keyword to their script-src directive.
2. Sites can opt-out of "no code from strings" by adding the "eval"
keyword to their script-src directive.
These additions may enable some sites, who would otherwise be deterred
by the JS restrictions, to adopt CSP in a limited fashion early, and
later do a full implementation as resources permit.
Cheers,
Brandon
FunkyRes
One thing I would find greatly beneficial is examples of how to do
things properly in a cross browser compliant way.
For example, for form validation - <form onsubmit="return checkform
()"> just works.
I've figured out (I think) how to properly attach most events
externally - like onchange, onclick, etc. - but whenever I try to
attach something to the submit event of a form, the script runs but
then the form data is posted to the action page regardless whether it
returns true or false. It just works with the inline onsubmit
attribute.
Part of the problem is IE and Firefox have different ways to attach
events, but I think there must be some concept I just don't get about
how the submit event works that isn't a problem with inline.
A library of function examples that do things cross platform in a
fully CSP compliant way would be a godsend, and IMHO preferable to
taking the easy way out and loosening up the enforcement.
What I'm doing to attache events is here:
http://www.shastaherps.org/js/common.js
(second function which calls third and fourth function) - which I
borrowed from someone else when everything (except form submit) was
working peachy in FireFox but then when I checked in IE, nothing
worked.
Bil Corry
> A library of function examples that do things cross platform in a
> fully CSP compliant way would be a godsend, and IMHO preferable to
> taking the easy way out and loosening up the enforcement.
I personally use jQuery to abstract the cross-platform issues:
- Bil
Jonas Sicking
If you do:
myForm.onsubmit = function() {
return checkform();
}
I think it should work. Otherwise
myForm.addEventListener("submit", function(event) {
if (!checkform()) {
event.preventDefault();
}
}, false);
should work in any browser that implements DOM-Events. Unfortunately IE
does not yet.
/ Jonas
Gervase Markham
> I think it should work. Otherwise
>
> myForm.addEventListener("submit", function(event) {
> if (!checkform()) {
> event.preventDefault();
return false;
> }
> }, false);
should, according to web searches, make it work in IE too. But Jonas
knows more about this than me :-)
Gerv
FunkyRes
It doesn't.
It runs the function but submits the data regardless of the function
return value.
On another list, it was mentioned that what I need to look into to
prevent the default event action from happening is "preventDefault"
for firefox and "returnValue" for IE.
I haven't tried it yet but looking at https://developer.mozilla.org/en/DOM/event.preventDefault
it looks like that might be what I need for the form case.
I'm rather irked, I bought this great big fat expensive JavaScript
everyone raves about. It says attaching event handlers externally is
the right way, gives a few brief examples with onclick and onchange,
and then says for brevity - the rest of the book will use html
attributes in examples. Completely left out the scenarios like form
submit where there is an action you need to prevent. Oh well. i wrote
a letter (nice) to the author, maybe in his next edition he'll be more
careful about that kind of thing.
FunkyRes
> myForm.addEventListener("submit", function(event) {
> if (!checkform()) {
> event.preventDefault();
> }
>
> }, false);
>
>
That did work, I had a typo was all.
Good enough for now, for IE - I'll deal with it later.
Thank you.