Move JavaScript form submission to script block #1620
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If someone wants their website to score a good grade on a security vulnerability scanner like Mozilla Observatory, they will need to enable the Content Security Policy header. When using CSP, it is possible to explicitly allow inline JavaScript in
<script>
tags by specifying the sha256 of the snippet. However the same is not true of any JavaScript included in a HTML attribute likeonload
.This changes moves the JavaScript form submission out of the
onload
HTML attribute and into a<script>
tag so the user can add the hash of this script to their explicitly-allowedscript-src
list, and they can avoid using undesirable CSP rules likeunsafe-inline
.Without explicitly allowing this script when using CSP, the script would fail and the user would have to click the button to continue.