Hi Jerad, On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <[email protected]> wrote:
> Hi Sajith, > > As for the offline discussion we had. IMO I feel it's ok to use <meta> tag > for it. But have some minor suggestions, please see the example below. > > <meta property="uuf:data" data-from-server="ew0KIGNvbnRl > eHRQYXRoOiAiL3BvcnRhbCINCn0="> > Based on your suggestion, I like to propose following meta tag. <meta property="uuf:data" value="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0="> IMO, using "value" instead of "data-from-server" gives a more general meta tag. > > Cheers, > > On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <[email protected]> > wrote: > >> Hi All, >> >> We are in the process of doing $subject. >> >> # What is sendToClient() function? >> >> Its a server-side JS function provided by UUF that can be used to send a >> server-side value to the client-side. >> >> >> function onGet(env) { >> >> sendToClient("contextPath", env.contextPath); >> >> } >> >> >> Which will produce following inline-script >> >> <script type="text/javascript">var contextPath="/portal";</script> >> >> >> However, we are hoping to set the Content-Security-Policy header to >> disable inline-JS scripts as a security measure against XSS >> vulnerabilities (as suggested by the security team). >> >> Content-Security-Policy: upgrade-insecure-requests, *default-src 'self'*, >> frame-ancestors >> 'none' >> >> So setting the Content-Security-Policy header to above will break the >> sendToClient functionality. >> >> # Proposing solution >> >> Create a <meta> tag in the page header that contains all the values sent >> from server-side. >> >> <meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoO >> iAiL3BvcnRhbCINCn0="> >> >> >> - Only one <meta> tag will be created. >> - All the values sent from server-side will be composed into a JSON, >> and that JSON string will be encoded to Base64. >> - In order to access a value, webapp developer has to use the >> UUFClient. >> - e.g. UUFClient.fromServer("contextPath") which will return >> "/portal" >> - Please note that, this will be a breaking change for existing UUF >> apps/component that utilizes sendToClient() function. >> >> WDYT? >> >> Thanks. >> -- >> Sajith Janaprasad Ariyarathna >> Senior Software Engineer; WSO2, Inc.; http://wso2.com/ >> <https://wso2.com/signature> >> > > > > -- > *Jerad Rutnam* > *Senior Software Engineer* > > WSO2 Inc. > lean | enterprise | middleware > M : +94 77 959 1609 | E : [email protected] | W : www.wso2.com > > <https://wso2.com/signature> > -- Sajith Janaprasad Ariyarathna Senior Software Engineer; WSO2, Inc.; http://wso2.com/ <https://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
