Hi All, We are in the process of doing $subject.
# What is sendToClient() function? Its a server-side JS function provided by UUF that can be used to send a server-side value to the client-side. function onGet(env) { sendToClient("contextPath", env.contextPath); } Which will produce following inline-script <script type="text/javascript">var contextPath="/portal";</script> However, we are hoping to set the Content-Security-Policy header to disable inline-JS scripts as a security measure against XSS vulnerabilities (as suggested by the security team). Content-Security-Policy: upgrade-insecure-requests, *default-src 'self'*, frame-ancestors 'none' So setting the Content-Security-Policy header to above will break the sendToClient functionality. # Proposing solution Create a <meta> tag in the page header that contains all the values sent from server-side. <meta name="uuf/from-server" content=" ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0="> - Only one <meta> tag will be created. - All the values sent from server-side will be composed into a JSON, and that JSON string will be encoded to Base64. - In order to access a value, webapp developer has to use the UUFClient. - e.g. UUFClient.fromServer("contextPath") which will return "/portal" - Please note that, this will be a breaking change for existing UUF apps/component that utilizes sendToClient() function. WDYT? Thanks. -- Sajith Janaprasad Ariyarathna Senior Software Engineer; WSO2, Inc.; http://wso2.com/ <https://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture