Hi All,
We are in the process of doing $subject.
# What is sendToClient() function?
Its a server-side JS function provided by UUF that can be used to send a
server-side value to the client-side.
function onGet(env) {
sendToClient("contextPath", env.contextPath);
}
Which will produce following inline-script
<script type="text/javascript">var contextPath="/portal";</script>
However, we are hoping to set the Content-Security-Policy header to disable
inline-JS scripts as a security measure against XSS vulnerabilities (as
suggested by the security team).
Content-Security-Policy: upgrade-insecure-requests, *default-src
'self'*, frame-ancestors
'none'
So setting the Content-Security-Policy header to above will break the
sendToClient functionality.
# Proposing solution
Create a <meta> tag in the page header that contains all the values sent
from server-side.
<meta name="uuf/from-server" content="
ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
- Only one <meta> tag will be created.
- All the values sent from server-side will be composed into a JSON, and
that JSON string will be encoded to Base64.
- In order to access a value, webapp developer has to use the UUFClient.
- e.g. UUFClient.fromServer("contextPath") which will return "/portal"
- Please note that, this will be a breaking change for existing UUF
apps/component that utilizes sendToClient() function.
WDYT?
Thanks.
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.; http://wso2.com/
<https://wso2.com/signature>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
