New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move all inline code to .js
files
#4401
Comments
Makes sense to me. I used ep_helmet to handle CSP by adding nonces btw but moving it out from being inline is way better. Peep ep_helmet first and the nonce open PR as reference points 👍 |
Why not, but what alternative would we have to modify the index inline script after that ? |
@brunob isn't there a hook to include JavaScript in the head? |
@JohnMcLear i don't think so, here is what we do with that hook https://framagit.org/infini/ep_infini/-/blob/master/infini.js#L10 |
Okay so @rhansen why remove it? Just ensure the docs say to people to only reference scripts here IE how the template does it..
An example of how not to do it could be
An example of how to do it could be..
We could also just in the HTML put a comment saying not to include inline JS... I'm lazy too which is why I prefer nonce approach over removing inline completely because this catches all potential plugin issues... |
I moved the indexCustomInlineScripts-specific discussion to PR #4402.
Adding a nonce might be a good temporary fix, but I don't like it as a long-term fix because:
|
This avoids the reliance on the global `chat` variable, and it is a step toward supporting a strict Content Security Policy (#4401).
This avoids the reliance on the global `chat` variable, and it is a step toward supporting a strict Content Security Policy (#4401).
I would like to move all of the inline code into
.js
files so that users can set a Content Security Policy (CSP) that prohibits inline code. Prohibiting inline code reduces the potential number of XSS vulnerabilities.The text was updated successfully, but these errors were encountered: