CSP on ajax forms

42 views
Skip to first unread message

sebastian....@gmail.com

unread,
Nov 16, 2016, 11:49:32 AM11/16/16
to Lift
Hi,
another CSP problem/question.

How do i get 
 <form role="form" data-lift="form.ajax">

Running without getting an CSP error complaining about onsubmit in forms:


blocked-uri
"self"

document-uri
"http://localhost:8080/company"

original-policy
"default-src http://local...-security-policy-report"

referrer
"http://localhost:8080/"

script-sample
"onsubmit attribute on FORM element"

source-file
"http://localhost:8080/company"

violated-directive
"script-src http://localhost:8080 form:"












Setting scriptSources = List( ContentSourceRestriction.Self, ContentSourceRestriction.UnsafeInline) helps but is that the proper way to do this?
I am not sure how to just get that working for forms alone (if that is really necessary).
But really the framework should do that from the beginning and not block its own features ;)

Best regards
Sebastian

Tim Nelson

unread,
Nov 16, 2016, 2:12:58 PM11/16/16
to Lift
Hi Sebastion,

What form.ajax does is add an onsubmit handler to the form. Unsafeinline applies to both inline script tags as well as html tag attributes like onsubmit, onclick, etc.

So, you either have to allow Unsafeinline, or use Lift's built-in code that checks the html for any tag attributes that Lift added and extrapolates that to JavaScript. Prior to RC4, that was enabled by default, but there were some issues and so it was decided to disable it. The rule in question is: LiftRules.extractInlineJavaScript. I would try setting that to true and test your app.

Ultimately, I hope we'll have a better solution. Personally, I just create the save function in my snippet, then add the id as a data attribute to the form and use some JavaScript to wire it up myself. I will try to get an example of that posted soon.

Tim
Reply all
Reply to author
Forward
0 new messages