Hi Yuri,
Is this required by CSP?
I do not see how it improves security?
Well the script-src 'self' prevents the browser to execute JS that comes
from any external server. If an attacker wants your browser to execute
his JS, it has to compromise your servers first. For me, yes it improves
security.
Meanwhile, littering all forms with IDs and adding back all events in
the js is crappier in my mind (there's now 50+ extra lines of code that
do nothing but that).
You mean 50 lines more if you use my patch ? It may be, but all the JS
is "hidden" in an external .js and the HTML code should look more
readable, even if (in our case) the changes are small. But it is a
question of point of view I imagine. I always try to make clean HTML and
put the style in CSS and the intelligence in JS. I personally think it
is a good practice.
I think jquery could be substituted with zepto easily, but I do not know
if it improves on this matter.
I did not know zepto, I'll check if the eval() function is used. This is
the main issue of jQuery that imposes the 'unsafe-eval' statement in the
CSP.
Well, I now imagine I don't commit, then ;-)
Thank you for your feedback and I'm checking a bit deeper the zepto point.
--
Camille
