OK - I really do need to be able to define a function in the head and call a function with an argument.
The form allows for uploading files. Thus I set a random upload identifier so that when submit is pressed and the form client side validates, a new window pops up with the upload identifies so get the progress of the upload from my server. The only way to move that to an external js file is to make the external js file dynamic and pass the upload identifier to it as a get variable. If that's what has to be done I suppose it has to be done, but there really should be a way to white list inline javascript functions - allow them if defined in the document head, and allow calling functions with arguments - since the policy restricts where external js can come from, the only functions that could be called are either standard javascript functions or functions defined in an allowed js file or the document head. Perhaps you could disallow javascript arguments that call a url not in an allowed domain (but you probably need to allow a url in the argument for things like opening up an upload progress window) _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security