User tests: Successful: Unsuccessful:
#3849 rewritten
Labels |
Added:
?
|
@J0WI Thanks for coding this
Can I ask you why you decided not to use this:
JFactory::getApplication()->getDocument()->addScriptDeclaration("
CODE GOES HERE
");
This way there is no need for the 2 extra javascript files, and also no extra request on the rendered file.
The weight is small only 12 lines of codeā¦
You can also see that in my attempt to do the same thing here: #5117
This function would create a <script>
element, isn't it? So it prevents you from using CSP without unsafe-inline
.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#Keywords
Nope, referring to spec all <script>
elements are blocked, even if they are created in head. Just verified using nginx and Firefox 37.
self => allowed only from exact same url/protocol (e.g. https://github.com/* but nothing else, relative paths are allowed)
unsafe-inline => allow creepy inline stuff (e.g. <script>
element or javascript: values in href)
unsafe-eval => allow evil eval() stuff
The same restrictions are available for nearly every resource, so inline CSS is also a problem. But you can't do that much damage as with JS.
You may be interested in https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy#Examples.3A.C2.A0Common_use_cases
Category | ⇒ | JavaScript |
Rel_Number | ⇒ | 3849 | |
Relation Type | ⇒ | Related to |
This is the right way
@brianteeman Do you need any additional information from me to merge this? Is it already to late to push this to 3.4?
Done.
This still waits for a review/merge
Easy | No | ⇒ | Yes |
Adding test Instructions.
Status | Pending | ⇒ | Ready to Commit |
Thanks @dgt41 just tested with the component and module works good here. Thanks @J0WI moving to RTC
Labels |
Added:
?
|
Milestone |
Added: |
Status | Ready to Commit | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-07-15 12:24:41 |
Closed_By | ⇒ | Kubik-Rubik |
Labels |
Removed:
?
|
It would really help if you cold provide some explanation what this does and how to test it. The easier it is to test the quicker it will get merged
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5716.