Hi Jerad, On Wed, May 31, 2017 at 5:12 PM, Jerad Rutnam <je...@wso2.com> wrote:
> Hi Sajith, > > "value" attribute has a direct coupling with "name" attribute. That's why > I thought of changing it. But in that case I would suggest to use "content" > attribute instead, as other vendors use, > > e.g. <meta property="og:title" content="Open Graph META Tags"/> > +1 for "content" Thanks. > > > In other hand using "data-*" attribute in <meta> tags is not a valid W3C > standard. But I saw in an article it says that even though it is not valid > as per W3C spec, still it has a meaning that it stores app data instead of > HTML document metadata. > > Cheers, > > On Wed, May 31, 2017 at 4:50 PM, SajithAR Ariyarathna <sajit...@wso2.com> > wrote: > >> Hi Jerad, >> >> On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <je...@wso2.com> wrote: >> >>> Hi Sajith, >>> >>> As for the offline discussion we had. IMO I feel it's ok to use <meta> >>> tag for it. But have some minor suggestions, please see the example below. >>> >>> <meta property="uuf:data" data-from-server="ew0KIGNvbnRl >>> eHRQYXRoOiAiL3BvcnRhbCINCn0="> >>> >> Based on your suggestion, I like to propose following meta tag. >> >> <meta property="uuf:data" value="ew0KIGNvbnRleHRQYXRoOiA >> iL3BvcnRhbCINCn0="> >> >> IMO, using "value" instead of "data-from-server" gives a more general >> meta tag. >> >>> >>> >> Cheers, >>> >>> On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <sajit...@wso2.com >>> > wrote: >>> >>>> Hi All, >>>> >>>> We are in the process of doing $subject. >>>> >>>> # What is sendToClient() function? >>>> >>>> Its a server-side JS function provided by UUF that can be used to send >>>> a server-side value to the client-side. >>>> >>>> >>>> function onGet(env) { >>>> >>>> sendToClient("contextPath", env.contextPath); >>>> >>>> } >>>> >>>> >>>> Which will produce following inline-script >>>> >>>> <script type="text/javascript">var contextPath="/portal";</script> >>>> >>>> >>>> However, we are hoping to set the Content-Security-Policy header to >>>> disable inline-JS scripts as a security measure against XSS >>>> vulnerabilities (as suggested by the security team). >>>> >>>> Content-Security-Policy: upgrade-insecure-requests, *default-src >>>> 'self'*, frame-ancestors 'none' >>>> >>>> So setting the Content-Security-Policy header to above will break the >>>> sendToClient functionality. >>>> >>>> # Proposing solution >>>> >>>> Create a <meta> tag in the page header that contains all the values >>>> sent from server-side. >>>> >>>> <meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoO >>>> iAiL3BvcnRhbCINCn0="> >>>> >>>> >>>> - Only one <meta> tag will be created. >>>> - All the values sent from server-side will be composed into a >>>> JSON, and that JSON string will be encoded to Base64. >>>> - In order to access a value, webapp developer has to use the >>>> UUFClient. >>>> - e.g. UUFClient.fromServer("contextPath") which will return >>>> "/portal" >>>> - Please note that, this will be a breaking change for existing UUF >>>> apps/component that utilizes sendToClient() function. >>>> >>>> WDYT? >>>> >>>> Thanks. >>>> -- >>>> Sajith Janaprasad Ariyarathna >>>> Senior Software Engineer; WSO2, Inc.; http://wso2.com/ >>>> <https://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> *Jerad Rutnam* >>> *Senior Software Engineer* >>> >>> WSO2 Inc. >>> lean | enterprise | middleware >>> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com >>> >>> <https://wso2.com/signature> >>> >> >> >> >> -- >> Sajith Janaprasad Ariyarathna >> Senior Software Engineer; WSO2, Inc.; http://wso2.com/ >> <https://wso2.com/signature> >> > > > > -- > *Jerad Rutnam* > *Senior Software Engineer* > > WSO2 Inc. > lean | enterprise | middleware > M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com > > <https://wso2.com/signature> > -- Sajith Janaprasad Ariyarathna Senior Software Engineer; WSO2, Inc.; http://wso2.com/ <https://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture