Hi All, IMHO if we are going forward with meta tag we need to think about HTML validation as well. AFAIK according to the specification, we can't use value or data attrib with meta tags[1]. +1 for using content attrib.
[1] https://www.w3.org/TR/html5/document-metadata.html#the-meta-element *Dakshika Jayathilaka* PMC Member & Committer of Apache Stratos Associate Technical Lead WSO2, Inc. lean.enterprise.middleware 0771100911 On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <je...@wso2.com> wrote: > Hi Sajith, > > As for the offline discussion we had. IMO I feel it's ok to use <meta> tag > for it. But have some minor suggestions, please see the example below. > > <meta property="uuf:data" data-from-server="ew0KIGNvbnRl > eHRQYXRoOiAiL3BvcnRhbCINCn0="> > > Cheers, > > On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <sajit...@wso2.com> > wrote: > >> Hi All, >> >> We are in the process of doing $subject. >> >> # What is sendToClient() function? >> >> Its a server-side JS function provided by UUF that can be used to send a >> server-side value to the client-side. >> >> >> function onGet(env) { >> >> sendToClient("contextPath", env.contextPath); >> >> } >> >> >> Which will produce following inline-script >> >> <script type="text/javascript">var contextPath="/portal";</script> >> >> >> However, we are hoping to set the Content-Security-Policy header to >> disable inline-JS scripts as a security measure against XSS >> vulnerabilities (as suggested by the security team). >> >> Content-Security-Policy: upgrade-insecure-requests, *default-src 'self'*, >> frame-ancestors >> 'none' >> >> So setting the Content-Security-Policy header to above will break the >> sendToClient functionality. >> >> # Proposing solution >> >> Create a <meta> tag in the page header that contains all the values sent >> from server-side. >> >> <meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoO >> iAiL3BvcnRhbCINCn0="> >> >> >> - Only one <meta> tag will be created. >> - All the values sent from server-side will be composed into a JSON, >> and that JSON string will be encoded to Base64. >> - In order to access a value, webapp developer has to use the >> UUFClient. >> - e.g. UUFClient.fromServer("contextPath") which will return >> "/portal" >> - Please note that, this will be a breaking change for existing UUF >> apps/component that utilizes sendToClient() function. >> >> WDYT? >> >> Thanks. >> -- >> Sajith Janaprasad Ariyarathna >> Senior Software Engineer; WSO2, Inc.; http://wso2.com/ >> <https://wso2.com/signature> >> > > > > -- > *Jerad Rutnam* > *Senior Software Engineer* > > WSO2 Inc. > lean | enterprise | middleware > M : +94 77 959 1609 | E : je...@wso2.com | W : www.wso2.com > > <https://wso2.com/signature> >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
