Hi Jerad,
On Wed, May 31, 2017 at 5:12 PM, Jerad Rutnam <je...@wso2.com> wrote:
> Hi Sajith,
>
> "value" attribute has a direct coupling with "name" attribute. That's why
> I thought of changing it. But in that case I would suggest to use "content"
> attribute instead, as other vendors use,
>
> e.g. <meta property="og:title" content="Open Graph META Tags"/>
>
+1 for "content"
Thanks.
>
>
> In other hand using "data-*" attribute in <meta> tags is not a valid W3C
> standard. But I saw in an article it says that even though it is not valid
> as per W3C spec, still it has a meaning that it stores app data instead of
> HTML document metadata.
>
> Cheers,
>
> On Wed, May 31, 2017 at 4:50 PM, SajithAR Ariyarathna <sajit...@wso2.com>
> wrote:
>
>> Hi Jerad,
>>
>> On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <je...@wso2.com> wrote:
>>
>>> Hi Sajith,
>>>
>>> As for the offline discussion we had. IMO I feel it's ok to use <meta>
>>> tag for it. But have some minor suggestions, please see the example below.
>>>
>>> <meta property="uuf:data" data-from-server="ew0KIGNvbnRl
>>> eHRQYXRoOiAiL3BvcnRhbCINCn0=">
>>>
>> Based on your suggestion, I like to propose following meta tag.
>>
>> <meta property="uuf:data" value="ew0KIGNvbnRleHRQYXRoOiA
>> iL3BvcnRhbCINCn0=">
>>
>> IMO, using "value" instead of "data-from-server" gives a more general
>> meta tag.
>>
>>>
>>>
>> Cheers,
>>>
>>> On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <sajit...@wso2.com
>>> > wrote:
>>>
>>>> Hi All,
>>>>
>>>> We are in the process of doing $subject.
>>>>
>>>> # What is sendToClient() function?
>>>>
>>>> Its a server-side JS function provided by UUF that can be used to send
>>>> a server-side value to the client-side.
>>>>
>>>>
>>>> function onGet(env) {
>>>>
>>>> sendToClient("contextPath", env.contextPath);
>>>>
>>>> }
>>>>
>>>>
>>>> Which will produce following inline-script
>>>>
>>>> <script type="text/javascript">var contextPath="/portal";</script>
>>>>
>>>>
>>>> However, we are hoping to set the Content-Security-Policy header to
>>>> disable inline-JS scripts as a security measure against XSS
>>>> vulnerabilities (as suggested by the security team).
>>>>
>>>> Content-Security-Policy: upgrade-insecure-requests, *default-src
>>>> 'self'*, frame-ancestors 'none'
>>>>
>>>> So setting the Content-Security-Policy header to above will break the
>>>> sendToClient functionality.
>>>>
>>>> # Proposing solution
>>>>
>>>> Create a <meta> tag in the page header that contains all the values
>>>> sent from server-side.
>>>>
>>>> <meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoO
>>>> iAiL3BvcnRhbCINCn0=">
>>>>
>>>>
>>>> - Only one <meta> tag will be created.
>>>> - All the values sent from server-side will be composed into a
>>>> JSON, and that JSON string will be encoded to Base64.
>>>> - In order to access a value, webapp developer has to use the
>>>> UUFClient.
>>>> - e.g. UUFClient.fromServer("contextPath") which will return
>>>> "/portal"
>>>> - Please note that, this will be a breaking change for existing UUF
>>>> apps/component that utilizes sendToClient() function.
>>>>
>>>> WDYT?
>>>>
>>>> Thanks.
>>>> --
>>>> Sajith Janaprasad Ariyarathna
>>>> Senior Software Engineer; WSO2, Inc.; http://wso2.com/
>>>> <https://wso2.com/signature>
>>>>
>>>
>>>
>>>
>>> --
>>> *Jerad Rutnam*
>>> *Senior Software Engineer*
>>>
>>> WSO2 Inc.
>>> lean | enterprise | middleware
>>> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>>>
>>> <https://wso2.com/signature>
>>>
>>
>>
>>
>> --
>> Sajith Janaprasad Ariyarathna
>> Senior Software Engineer; WSO2, Inc.; http://wso2.com/
>> <https://wso2.com/signature>
>>
>
>
>
> --
> *Jerad Rutnam*
> *Senior Software Engineer*
>
> WSO2 Inc.
> lean | enterprise | middleware
> M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com
>
> <https://wso2.com/signature>
>
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.; http://wso2.com/
<https://wso2.com/signature>
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
