Hi Yuri,

Is this required by CSP?
I do not see how it improves security?
Well the script-src 'self' prevents the browser to execute JS that comes from any external server. If an attacker wants your browser to execute his JS, it has to compromise your servers first. For me, yes it improves security.

Meanwhile, littering all forms with IDs and adding back all events in
the js is crappier in my mind (there's now 50+ extra lines of code that
do nothing but that).
You mean 50 lines more if you use my patch ? It may be, but all the JS is "hidden" in an external .js and the HTML code should look more readable, even if (in our case) the changes are small. But it is a question of point of view I imagine. I always try to make clean HTML and put the style in CSS and the intelligence in JS. I personally think it is a good practice.

I think jquery could be substituted with zepto easily, but I do not know
if it improves on this matter.

I did not know zepto, I'll check if the eval() function is used. This is the main issue of jQuery that imposes the 'unsafe-eval' statement in the CSP.

Well, I now imagine I don't commit, then ;-)

Thank you for your feedback and I'm checking a bit deeper the zepto point.

Reply via email to