Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move JavaScript form submission to script block #1620

Merged
merged 1 commit into from Aug 20, 2019

Conversation

@jezen
Copy link
Member

commented Aug 19, 2019

If someone wants their website to score a good grade on a security vulnerability scanner like Mozilla Observatory, they will need to enable the Content Security Policy header. When using CSP, it is possible to explicitly allow inline JavaScript in <script> tags by specifying the sha256 of the snippet. However the same is not true of any JavaScript included in a HTML attribute like onload.

This changes moves the JavaScript form submission out of the onload HTML attribute and into a <script> tag so the user can add the hash of this script to their explicitly-allowed script-src list, and they can avoid using undesirable CSP rules like unsafe-inline.

Without explicitly allowing this script when using CSP, the script would fail and the user would have to click the button to continue.

  • Bumped the version number
  • Update the Changelog.md file with a link to your PR
  • Check that CI passes (or if it fails, for reasons unrelated to your change, like CI timeouts)
Move JavaScript form submission to script block
If someone wants their website to score a good grade on a security
vulnerability scanner like Mozilla Observatory, they will need to enable
the Content Security Policy header. When using CSP, it is possible to
explicitly allow inline JavaScript in `<script>` tags by specifying the
sha256 of the snippet. However the same is _not_ true of any JavaScript
included in a HTML attribute like `onload`.

This changes moves the JavaScript form submission out of the `onload`
HTML attribute and into a `<script>` tag so the user can add the hash of
this script to their explicitly-allowed `script-src` list, and they can
avoid using undesirable CSP rules like `unsafe-inline`.

Without explicitly allowing this script when using CSP, the script would
fail and the user would have to click the button to continue.

@snoyberg snoyberg merged commit 56e8557 into yesodweb:master Aug 20, 2019

23 checks passed

yesodweb.yesod Build #20190819.8 succeeded
Details
yesodweb.yesod (Linux cabal-8.0.2) Linux cabal-8.0.2 succeeded
Details
yesodweb.yesod (Linux cabal-8.2.2) Linux cabal-8.2.2 succeeded
Details
yesodweb.yesod (Linux cabal-8.4.4) Linux cabal-8.4.4 succeeded
Details
yesodweb.yesod (Linux cabal-8.6.5) Linux cabal-8.6.5 succeeded
Details
yesodweb.yesod (Linux nightly) Linux nightly succeeded
Details
yesodweb.yesod (Linux pedantic) Linux pedantic succeeded
Details
yesodweb.yesod (Linux stack-def) Linux stack-def succeeded
Details
yesodweb.yesod (Linux stack-lts-11) Linux stack-lts-11 succeeded
Details
yesodweb.yesod (Linux stack-lts-12) Linux stack-lts-12 succeeded
Details
yesodweb.yesod (Linux stack-lts-13) Linux stack-lts-13 succeeded
Details
yesodweb.yesod (Linux stack-lts-9) Linux stack-lts-9 succeeded
Details
yesodweb.yesod (Linux stack-persistent-2-10) Linux stack-persistent-2-10 succeeded
Details
yesodweb.yesod (Linux stack-persistent-2-9) Linux stack-persistent-2-9 succeeded
Details
yesodweb.yesod (Windows stack-lts-11) Windows stack-lts-11 succeeded
Details
yesodweb.yesod (Windows stack-lts-12) Windows stack-lts-12 succeeded
Details
yesodweb.yesod (Windows stack-lts-13) Windows stack-lts-13 succeeded
Details
yesodweb.yesod (macOS stack-lts-11) macOS stack-lts-11 succeeded
Details
yesodweb.yesod (macOS stack-lts-12) macOS stack-lts-12 succeeded
Details
yesodweb.yesod (macOS stack-lts-13) macOS stack-lts-13 succeeded
Details
yesodweb.yesod (macOS stack-lts-9) macOS stack-lts-9 succeeded
Details
yesodweb.yesod (macOS stack-persistent-2-10) macOS stack-persistent-2-10 succeeded
Details
yesodweb.yesod (macOS stack-persistent-2-9) macOS stack-persistent-2-9 succeeded
Details
@snoyberg

This comment has been minimized.

Copy link
Member

commented Aug 20, 2019

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.