On Jul 1, 5:20 pm, Jonas Sicking <jo...@sicking.cc> wrote:
> FunkyRes wrote:
> > On Jun 22, 4:15 pm, Brandon Sterne <bste...@mozilla.com> wrote:
> >> Some sites have shared the desire to use some features of CSP, but not
> >> all of them at once. For example, a site may want to utilize the
> >> content loading features of CSP to help prevent data exfiltration, but
> >> they may not want to be subject to the JavaScript restrictions which are
> >> enabled by default (no inline script, no eval, etc.).
>
> >> We have made two additions to the spec that we think will address these
> >> needs:
>
> >> 1. Sites can opt-out of "no inline scripts" by adding the "inline"
> >> keyword to their script-src directive.
> >> 2. Sites can opt-out of "no code from strings" by adding the "eval"
> >> keyword to their script-src directive.
>
> >> These additions may enable some sites, who would otherwise be deterred
> >> by the JS restrictions, to adopt CSP in a limited fashion early, and
> >> later do a full implementation as resources permit.
>
> >> Cheers,
> >> Brandon
>
> > One thing I would find greatly beneficial is examples of how to do
> > things properly in a cross browser compliant way.
>
> > For example, for form validation - <form onsubmit="return checkform
> > ()"> just works.
> > I've figured out (I think) how to properly attach most events
> > externally - like onchange, onclick, etc. - but whenever I try to
> > attach something to the submit event of a form, the script runs but
> > then the form data is posted to the action page regardless whether it
> > returns true or false. It just works with the inline onsubmit
> > attribute.
>
> > Part of the problem is IE and Firefox have different ways to attach
> > events, but I think there must be some concept I just don't get about
> > how the submit event works that isn't a problem with inline.
>
> If you do:
>
> myForm.onsubmit = function() {
> return checkform();
>
> }
>
> I think it should work.
It doesn't.
It runs the function but submits the data regardless of the function
return value.
On another list, it was mentioned that what I need to look into to
prevent the default event action from happening is "preventDefault"
for firefox and "returnValue" for IE.
I haven't tried it yet but looking at
https://developer.mozilla.org/en/DOM/event.preventDefault
it looks like that might be what I need for the form case.
I'm rather irked, I bought this great big fat expensive JavaScript
everyone raves about. It says attaching event handlers externally is
the right way, gives a few brief examples with onclick and onchange,
and then says for brevity - the rest of the book will use html
attributes in examples. Completely left out the scenarios like form
submit where there is an action you need to prevent. Oh well. i wrote
a letter (nice) to the author, maybe in his next edition he'll be more
careful about that kind of thing.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
