On Jul 1, 5:20 pm, Jonas Sicking <jo...@sicking.cc> wrote: > FunkyRes wrote: > > On Jun 22, 4:15 pm, Brandon Sterne <bste...@mozilla.com> wrote: > >> Some sites have shared the desire to use some features of CSP, but not > >> all of them at once. For example, a site may want to utilize the > >> content loading features of CSP to help prevent data exfiltration, but > >> they may not want to be subject to the JavaScript restrictions which are > >> enabled by default (no inline script, no eval, etc.). > > >> We have made two additions to the spec that we think will address these > >> needs: > > >> 1. Sites can opt-out of "no inline scripts" by adding the "inline" > >> keyword to their script-src directive. > >> 2. Sites can opt-out of "no code from strings" by adding the "eval" > >> keyword to their script-src directive. > > >> These additions may enable some sites, who would otherwise be deterred > >> by the JS restrictions, to adopt CSP in a limited fashion early, and > >> later do a full implementation as resources permit. > > >> Cheers, > >> Brandon > > > One thing I would find greatly beneficial is examples of how to do > > things properly in a cross browser compliant way. > > > For example, for form validation - <form onsubmit="return checkform > > ()"> just works. > > I've figured out (I think) how to properly attach most events > > externally - like onchange, onclick, etc. - but whenever I try to > > attach something to the submit event of a form, the script runs but > > then the form data is posted to the action page regardless whether it > > returns true or false. It just works with the inline onsubmit > > attribute. > > > Part of the problem is IE and Firefox have different ways to attach > > events, but I think there must be some concept I just don't get about > > how the submit event works that isn't a problem with inline. > > If you do: > > myForm.onsubmit = function() { > return checkform(); > > } > > I think it should work.
It doesn't. It runs the function but submits the data regardless of the function return value. On another list, it was mentioned that what I need to look into to prevent the default event action from happening is "preventDefault" for firefox and "returnValue" for IE. I haven't tried it yet but looking at https://developer.mozilla.org/en/DOM/event.preventDefault it looks like that might be what I need for the form case. I'm rather irked, I bought this great big fat expensive JavaScript everyone raves about. It says attaching event handlers externally is the right way, gives a few brief examples with onclick and onchange, and then says for brevity - the rest of the book will use html attributes in examples. Completely left out the scenarios like form submit where there is an action you need to prevent. Oh well. i wrote a letter (nice) to the author, maybe in his next edition he'll be more careful about that kind of thing. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security