On Nov 29, 2017, at 8:50 AM, Richard Hipp <d...@sqlite.org> wrote: > > Apparently what I would need to do is generate HTML without all of the > onclick= and style= attributes
Yes. > but make sure every element has an id= attribute. Or at least a class attribute, when you want multiple elements to have the same event handler. > Then at the bottom generate a big > > <script type="application/json" id="init-data"> ... JSON here ... </script> No, that’s just more inline JS, as far as CSP is concerned. The JSON bypass for inline JS only applies to Ajax returns and such, and it exists only because it is considered safe to parse JSON — which isn’t Turing-complete — but not JSON-as-JS, since a single quoting error can mean you’re allowing user-generated content to be parsed as Javascript. I still have set script-src 'self' 'unsafe-inline' in my web app’s CSP for this very reason. But I do still go one step further than Fossil, in that I limit inline JS to a window.onload event handler which calls an init function to apply JS event handlers as needed, as well as dynamic styles and such. I don’t know that I will ever get to just “self” for script-src. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
