subject:"\[Architecture\] \[UUF\] Removing creation of inline JS script tags upon calling sendToClient\(\)"

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

2017-05-31 Thread Rasika Perera

+1 for .

AFAIK there's no hard limitation in meta tags unless search engines cut off
at some point for the SEO.

On Wed, May 31, 2017 at 5:18 PM, Dakshika Jayathilaka 
wrote:

> Hi All,
>
> IMHO if we are going forward with meta tag we need to think about HTML
> validation as well. AFAIK according to the specification, we can't use
> value or data attrib with meta tags[1]. +1 for using content attrib.
>
> [1] https://www.w3.org/TR/html5/document-metadata.html#the-meta-element
>
> *Dakshika Jayathilaka*
> PMC Member & Committer of Apache Stratos
> Associate Technical Lead
> WSO2, Inc.
> lean.enterprise.middleware
> 0771100911
>
> On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam  wrote:
>
>> Hi Sajith,
>>
>> As for the offline discussion we had. IMO I feel it's ok to use 
>> tag for it. But have some minor suggestions, please see the example below.
>>
>> 
>>
>> Cheers,
>>
>> On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna 
>> wrote:
>>
>>> Hi All,
>>>
>>> We are in the process of doing $subject.
>>>
>>> # What is sendToClient() function?
>>>
>>> Its a server-side JS function provided by UUF that can be used to send a
>>> server-side value to the client-side.
>>>
>>>
>>> function onGet(env) {
>>>
>>> sendToClient("contextPath", env.contextPath);
>>>
>>> }
>>>
>>>
>>> Which will produce following inline-script
>>>
>>> var contextPath="/portal";
>>>
>>>
>>> However, we are hoping to set the Content-Security-Policy header to
>>> disable inline-JS scripts as a security measure against XSS
>>> vulnerabilities (as suggested by the security team).
>>>
>>> Content-Security-Policy: upgrade-insecure-requests, *default-src 'self'*, 
>>> frame-ancestors
>>> 'none'
>>>
>>> So setting the Content-Security-Policy header to above will break the
>>> sendToClient functionality.
>>>
>>> # Proposing solution
>>>
>>> Create a  tag in the page header that contains all the values
>>> sent from server-side.
>>>
>>> 
>>>
>>>
>>>- Only one  tag will be created.
>>>- All the values sent from server-side will be composed into a JSON,
>>>and that JSON string will be encoded to Base64.
>>>- In order to access a value, webapp developer has to use the
>>>UUFClient.
>>>   - e.g. UUFClient.fromServer("contextPath") which will return
>>>   "/portal"
>>>- Please note that, this will be a breaking change for existing UUF
>>>apps/component that utilizes sendToClient() function.
>>>
>>> WDYT?
>>>
>>> Thanks.
>>> --
>>> Sajith Janaprasad Ariyarathna
>>> Senior Software Engineer; WSO2, Inc.;  http://wso2.com/
>>> 
>>>
>>
>>
>>
>> --
>> *Jerad Rutnam*
>> *Senior Software Engineer*
>>
>> WSO2 Inc.
>> lean | enterprise | middleware
>> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>>
>> 
>>
>
>


-- 
With Regards,

*Rasika Perera*
Senior Software Engineer
LinkedIn: http://lk.linkedin.com/in/rasika90



WSO2 Inc. www.wso2.com
lean.enterprise.middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

2017-05-31 Thread Dakshika Jayathilaka

Hi All,

IMHO if we are going forward with meta tag we need to think about HTML
validation as well. AFAIK according to the specification, we can't use
value or data attrib with meta tags[1]. +1 for using content attrib.

[1] https://www.w3.org/TR/html5/document-metadata.html#the-meta-element

*Dakshika Jayathilaka*
PMC Member & Committer of Apache Stratos
Associate Technical Lead
WSO2, Inc.
lean.enterprise.middleware
0771100911

On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam  wrote:

> Hi Sajith,
>
> As for the offline discussion we had. IMO I feel it's ok to use  tag
> for it. But have some minor suggestions, please see the example below.
>
> 
>
> Cheers,
>
> On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna 
> wrote:
>
>> Hi All,
>>
>> We are in the process of doing $subject.
>>
>> # What is sendToClient() function?
>>
>> Its a server-side JS function provided by UUF that can be used to send a
>> server-side value to the client-side.
>>
>>
>> function onGet(env) {
>>
>> sendToClient("contextPath", env.contextPath);
>>
>> }
>>
>>
>> Which will produce following inline-script
>>
>> var contextPath="/portal";
>>
>>
>> However, we are hoping to set the Content-Security-Policy header to
>> disable inline-JS scripts as a security measure against XSS
>> vulnerabilities (as suggested by the security team).
>>
>> Content-Security-Policy: upgrade-insecure-requests, *default-src 'self'*, 
>> frame-ancestors
>> 'none'
>>
>> So setting the Content-Security-Policy header to above will break the
>> sendToClient functionality.
>>
>> # Proposing solution
>>
>> Create a  tag in the page header that contains all the values sent
>> from server-side.
>>
>> 
>>
>>
>>- Only one  tag will be created.
>>- All the values sent from server-side will be composed into a JSON,
>>and that JSON string will be encoded to Base64.
>>- In order to access a value, webapp developer has to use the
>>UUFClient.
>>   - e.g. UUFClient.fromServer("contextPath") which will return
>>   "/portal"
>>- Please note that, this will be a breaking change for existing UUF
>>apps/component that utilizes sendToClient() function.
>>
>> WDYT?
>>
>> Thanks.
>> --
>> Sajith Janaprasad Ariyarathna
>> Senior Software Engineer; WSO2, Inc.;  http://wso2.com/
>> 
>>
>
>
>
> --
> *Jerad Rutnam*
> *Senior Software Engineer*
>
> WSO2 Inc.
> lean | enterprise | middleware
> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>
> 
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

2017-05-31 Thread SajithAR Ariyarathna

Hi Jerad,

On Wed, May 31, 2017 at 5:12 PM, Jerad Rutnam  wrote:

> Hi Sajith,
>
> "value" attribute has a direct coupling with "name" attribute. That's why
> I thought of changing it. But in that case I would suggest to use "content"
> attribute instead, as other vendors use,
>
> e.g. 
>
+1 for "content"

Thanks.

>
>
> In other hand using "data-*" attribute in  tags is not a valid W3C
> standard. But I saw in an article it says that even though it is not valid
> as per W3C spec, still it has a meaning that it stores app data instead of
> HTML document metadata.
>
> Cheers,
>
> On Wed, May 31, 2017 at 4:50 PM, SajithAR Ariyarathna 
> wrote:
>
>> Hi Jerad,
>>
>> On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam  wrote:
>>
>>> Hi Sajith,
>>>
>>> As for the offline discussion we had. IMO I feel it's ok to use 
>>> tag for it. But have some minor suggestions, please see the example below.
>>>
>>> 
>>>
>> Based on your suggestion, I like to propose following meta tag.
>>
>> 
>>
>> IMO, using "value" instead of "data-from-server" gives a more general
>> meta tag.
>>
>>>
>>>
>> Cheers,
>>>
>>> On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna >> > wrote:
>>>
 Hi All,

 We are in the process of doing $subject.

 # What is sendToClient() function?

 Its a server-side JS function provided by UUF that can be used to send
 a server-side value to the client-side.


 function onGet(env) {

 sendToClient("contextPath", env.contextPath);

 }


 Which will produce following inline-script

 var contextPath="/portal";


 However, we are hoping to set the Content-Security-Policy header to
 disable inline-JS scripts as a security measure against XSS
 vulnerabilities (as suggested by the security team).

 Content-Security-Policy: upgrade-insecure-requests, *default-src
 'self'*, frame-ancestors 'none'

 So setting the Content-Security-Policy header to above will break the
 sendToClient functionality.

 # Proposing solution

 Create a  tag in the page header that contains all the values
 sent from server-side.

 


- Only one  tag will be created.
- All the values sent from server-side will be composed into a
JSON, and that JSON string will be encoded to Base64.
- In order to access a value, webapp developer has to use the
UUFClient.
   - e.g. UUFClient.fromServer("contextPath") which will return
   "/portal"
- Please note that, this will be a breaking change for existing UUF
apps/component that utilizes sendToClient() function.

 WDYT?

 Thanks.
 --
 Sajith Janaprasad Ariyarathna
 Senior Software Engineer; WSO2, Inc.;  http://wso2.com/
 

>>>
>>>
>>>
>>> --
>>> *Jerad Rutnam*
>>> *Senior Software Engineer*
>>>
>>> WSO2 Inc.
>>> lean | enterprise | middleware
>>> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>>>
>>> 
>>>
>>
>>
>>
>> --
>> Sajith Janaprasad Ariyarathna
>> Senior Software Engineer; WSO2, Inc.;  http://wso2.com/
>> 
>>
>
>
>
> --
> *Jerad Rutnam*
> *Senior Software Engineer*
>
> WSO2 Inc.
> lean | enterprise | middleware
> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>
> 
>



-- 
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

2017-05-31 Thread SajithAR Ariyarathna

Hi Jerad,

On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam  wrote:

> Hi Sajith,
>
> As for the offline discussion we had. IMO I feel it's ok to use  tag
> for it. But have some minor suggestions, please see the example below.
>
> 
>
Based on your suggestion, I like to propose following meta tag.



IMO, using "value" instead of "data-from-server" gives a more general meta
tag.

>
>
Cheers,
>
> On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna 
> wrote:
>
>> Hi All,
>>
>> We are in the process of doing $subject.
>>
>> # What is sendToClient() function?
>>
>> Its a server-side JS function provided by UUF that can be used to send a
>> server-side value to the client-side.
>>
>>
>> function onGet(env) {
>>
>> sendToClient("contextPath", env.contextPath);
>>
>> }
>>
>>
>> Which will produce following inline-script
>>
>> var contextPath="/portal";
>>
>>
>> However, we are hoping to set the Content-Security-Policy header to
>> disable inline-JS scripts as a security measure against XSS
>> vulnerabilities (as suggested by the security team).
>>
>> Content-Security-Policy: upgrade-insecure-requests, *default-src 'self'*, 
>> frame-ancestors
>> 'none'
>>
>> So setting the Content-Security-Policy header to above will break the
>> sendToClient functionality.
>>
>> # Proposing solution
>>
>> Create a  tag in the page header that contains all the values sent
>> from server-side.
>>
>> 
>>
>>
>>- Only one  tag will be created.
>>- All the values sent from server-side will be composed into a JSON,
>>and that JSON string will be encoded to Base64.
>>- In order to access a value, webapp developer has to use the
>>UUFClient.
>>   - e.g. UUFClient.fromServer("contextPath") which will return
>>   "/portal"
>>- Please note that, this will be a breaking change for existing UUF
>>apps/component that utilizes sendToClient() function.
>>
>> WDYT?
>>
>> Thanks.
>> --
>> Sajith Janaprasad Ariyarathna
>> Senior Software Engineer; WSO2, Inc.;  http://wso2.com/
>> 
>>
>
>
>
> --
> *Jerad Rutnam*
> *Senior Software Engineer*
>
> WSO2 Inc.
> lean | enterprise | middleware
> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>
> 
>



-- 
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

2017-05-31 Thread SajithAR Ariyarathna

Hi All,

We are in the process of doing $subject.

# What is sendToClient() function?

Its a server-side JS function provided by UUF that can be used to send a
server-side value to the client-side.


function onGet(env) {

sendToClient("contextPath", env.contextPath);

}


Which will produce following inline-script

var contextPath="/portal";


However, we are hoping to set the Content-Security-Policy header to disable
inline-JS scripts as a security measure against XSS vulnerabilities (as
suggested by the security team).

Content-Security-Policy: upgrade-insecure-requests, *default-src
'self'*, frame-ancestors
'none'

So setting the Content-Security-Policy header to above will break the
sendToClient functionality.

# Proposing solution

Create a  tag in the page header that contains all the values sent
from server-side.




   - Only one  tag will be created.
   - All the values sent from server-side will be composed into a JSON, and
   that JSON string will be encoded to Base64.
   - In order to access a value, webapp developer has to use the UUFClient.
  - e.g. UUFClient.fromServer("contextPath") which will return "/portal"
   - Please note that, this will be a breaking change for existing UUF
   apps/component that utilizes sendToClient() function.

WDYT?

Thanks.
-- 
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

Re: [Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

[Architecture] [UUF] Removing creation of inline JS script tags upon calling sendToClient()

5 matches

Site Navigation

Mail list logo

Footer information