script action and security #49

JoernT · 2021-06-30T20:57:41Z

JoernT
Jun 30, 2021
Maintainer

This is a tricky one...

The ultimate wayout when hitting limitations with the available functionality is to call some javascript. This is also interesting when integrating with custom components.

Of course script could be given inline...

<fx-action type="text/javascript">
    const foo = ....
</fx-action>

However this must be considered a risk as it's too easy to inject some script into the page. Thus it is commonly strongly advised to avoid inline script completely.

Currently Fore supports to link to an external script like this:

<fx-action src="test.js"></fx-action>

This works but is certainly not very convenient esp. when just a single call to a component is wanted which is often the case when integrating arbitrary components with forms.

What else can be done to securely call script?

JoernT · 2021-07-02T10:09:17Z

JoernT
Jul 2, 2021
Maintainer Author

silly question - obviously CSP is the answer.

At least an example for hash-signed inline code would be great

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

script action and security #49

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

script action and security #49

Uh oh!

JoernT Jun 30, 2021 Maintainer

Replies: 1 comment

Uh oh!

JoernT Jul 2, 2021 Maintainer Author

JoernT
Jun 30, 2021
Maintainer

JoernT
Jul 2, 2021
Maintainer Author