Move JavaScript form submission to script block #1620
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If someone wants their website to score a good grade on a security vulnerability scanner like Mozilla Observatory, they will need to enable the Content Security Policy header. When using CSP, it is possible to explicitly allow inline JavaScript in `<script>` tags by specifying the sha256 of the snippet. However the same is _not_ true of any JavaScript included in a HTML attribute like `onload`. This changes moves the JavaScript form submission out of the `onload` HTML attribute and into a `<script>` tag so the user can add the hash of this script to their explicitly-allowed `script-src` list, and they can avoid using undesirable CSP rules like `unsafe-inline`. Without explicitly allowing this script when using CSP, the script would fail and the user would have to click the button to continue.
snoyberg
approved these changes
Aug 20, 2019
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If someone wants their website to score a good grade on a security vulnerability scanner like Mozilla Observatory, they will need to enable the Content Security Policy header. When using CSP, it is possible to explicitly allow inline JavaScript in
<script>tags by specifying the sha256 of the snippet. However the same is not true of any JavaScript included in a HTML attribute likeonload.This changes moves the JavaScript form submission out of the
onloadHTML attribute and into a<script>tag so the user can add the hash of this script to their explicitly-allowedscript-srclist, and they can avoid using undesirable CSP rules likeunsafe-inline.Without explicitly allowing this script when using CSP, the script would fail and the user would have to click the button to continue.