Comments (2)
We can support CSP (specifically, disabling eval and inline scripts) but there will be a few tradeoffs. Originally, Marko Widgets allowed a more strict CSP but we backtracked a bit because of some performance concerns. I think we should revisit that decision and see what we can do to enable a more strict CSP for those apps that can take advantage of it.
I think Issue #26 should definitely be resolved, but here are a few other issues that would need to be resolved in order to enable a more strict CSP:
- Client-side reordering of async fragments relies on the reordering code being in an inline script to avoid having to download external JS before async fragments can be moved into the correct place on the DOM.
- When
immediate
is set totrue
(e.g.,<init-widgets immediate>
we generate inline script code to immediately initialize widgets for each async fragment instead of waiting until the DOM is ready (which doesn't happen until all of the async fragments are completed...which is way too late). - We are using
eval
to parse serialized widget config data instead ofJSON.parse
. We decided not to use pure JSON because output HTML will be slightly larger because JSON uses double quotes for strings and HTML uses double quotes. This means that the double quotes need to be escaped to a longer character sequence. For example:{"hello":"world"}
would need to be encoded as the following:
data-w-config="{"hello":"world"}"
Using JSON.parse
also requires the JSON
polyfill.
I feel like disallowing inline scripts will negatively impact progressive HTML rendering (with immediate initialization of widgets). Using JSON.parse
instead of eval
should be a minimal impact with a few slight changes, but it should probably be opt-in since it requires the JSON
polyfill and will make the HTML slightly large (unless we replace double quotes with another safe character after JSON.stringify
).
I'll be glad to work with you on this if you have some time. For the immediate timeframe I am focusing on making widgets stateful to bring in some of the great ideas from React.
Let us know if you have any other thoughts/questions/concerns.
Thanks for bringing up this important issue.
from marko-widgets.
Ok, the statements make total sense - thank you.
For inline scripts, they seem to add a lot of the power that make marko awesome... therefore, avoiding inline scripts seems hard... as they are placed on the first, initial render, they might even work with a script nonce, to verify their origin... - then, policy can be made more strict... Anyway as they provide real value for marko, we might have to accept "unsafe-inline" for now.
eval() seems to be another beast.... and I was not aware of its use on widget config data, aside from the binding initialization that needs to run when templates are rendered server side... I am happy if #26 will be resolved, though.
Basically, I think it is a good thing to avoid the use of eval() when possible; maybe even completely in the future - as always, making it optional is great.... not everybody likes to use polyfills for this...
So I am leaving this up for further discussion/brainstorming - thanks for participation.
from marko-widgets.
Related Issues (20)
- Proposal: Marko Widgets with ES6 and inline Marko templates HOT 6
- Bubbling event listeners are attached too late HOT 1
- Listeners for event delegation do not work if `document.body` is not available HOT 1
- w- prefix HOT 1
- Add support for csp nonce HOT 1
- Add support for delaying widget destruction from an onBeforeDestroy handler HOT 2
- Macro tag doesn't play well with w-bind / widget
- Bug: w-onchange adds "|w0" for null input HOT 1
- No error message when `w-bind` is used and no `index.js` or `widget.js` is found
- Out parameter?
- w-for attribute not being removed HOT 1
- event-delegation.js:44 Uncaught TypeError: Cannot read property '__widget' of null HOT 1
- Proposal: Template as entry point for UI components HOT 6
- Getting the nested widget instance
- Declarative DOM event listeners broken for non-bubbling events on repeated elements HOT 1
- Make state property full reactively HOT 3
- Missing something with lasso and marko-widgets
- Calling A component in for loop . only trigering first element HOT 3
- Extra event handlers are getting added when noConflict js containing marko widgets is loaded
- Special unicode chars (\u2028 and \u2029) need to be escaped if within script tag
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from marko-widgets.