Turning off rewriting of on* inline-js in Lift3

27 views
Skip to first unread message

Andreas Joseph Krogh

unread,
Apr 23, 2015, 7:10:05 PM4/23/15
to lif...@googlegroups.com
Hi all.
 
We still have quite a lot of CSS matching the [onclick] selector, which doesn't play well with Lift3 new mechanisme of rewriting onclick-attributes to event-handlers (in LiftMerge.fixAttrs).
 
Is there a way to turn this off, that is, don't rewrite and use "pre-3 behavior"? If not, I propose to add a setting for it in LiftRules.
 
Thanks.
 
--
Andreas Joseph Krogh
CTO / Partner - Visena AS
Mobile: +47 909 56 963

Antonio Salazar Cardozo

unread,
Apr 24, 2015, 1:28:33 PM4/24/15
to lif...@googlegroups.com
There currently isn't. The feature is mostly meant to interact with ContentSecurityPolicy,
so I wouldn't necessarily be opposed to turning it off if the SecurityRules for JavaScript
allow inline JS. When I first wrote it SecurityRules wasn't ready yet, but now that SecurityRules
is in, we can properly play them off each other.

Obviously I also feel strongly that this is the framework nudging you in the direction of
developing “better” (and more securely), but I fully acknowledge that I have a strong and
biased opinion ;)
Thanks,
Antonio

Andreas Joseph Krogh

unread,
Apr 25, 2015, 4:46:15 AM4/25/15
to lif...@googlegroups.com
På fredag 24. april 2015 kl. 19:28:33, skrev Antonio Salazar Cardozo <savedf...@gmail.com>:
There currently isn't. The feature is mostly meant to interact with ContentSecurityPolicy,
so I wouldn't necessarily be opposed to turning it off if the SecurityRules for JavaScript
allow inline JS. When I first wrote it SecurityRules wasn't ready yet, but now that SecurityRules
is in, we can properly play them off each other.
 
Obviously I also feel strongly that this is the framework nudging you in the direction of
developing “better” (and more securely), but I fully acknowledge that I have a strong and
biased opinion ;)
Thanks,
Antonio
 
My point is mostly that we should offer a smooth migration-path from Lift < 3, where there probably exists lots of on* (especially onclick) in the code and CSS (having a CSS-rule [onclick] { cursor: pointer} is quite common I think). Rewriting that code to fit Lift3's current CSP is more than some work, and that may turn people away from Lift3.

Antonio Salazar Cardozo

unread,
Apr 26, 2015, 2:25:13 PM4/26/15
to lif...@googlegroups.com
We can do a couple of things, including relaxing the default Content-Security-Policy for the initial
Lift 3 release. Marking things that have been so transformed is a good idea, though (as per your
PR, which I'll make some comments on in Github).
Thanks,
Antonio
Reply all
Reply to author
Forward
0 new messages