Add remarks on avoiding inline JS #34431
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
cc: @tdykstra ... The build report says ...
|
1 task
Change ms.author to riande. |
guardrex
changed the title
|
@jbaumflek ... Ok, so we have our answer from Javier ... don't recommend inline JS at all, and we'll just leave the CSP article as it currently is with its remarks about hashes for custom scripts. Although we didn't end up with inline JS-CSP coverage for this, thanks for your issue because we needed to firm up our recommendation on this subject for the community. Happy New Year! 🎉 |
|
Thank you all!
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Luke Latham ***@***.***>
Sent: Tuesday, January 7, 2025 8:46:52 AM
To: dotnet/AspNetCore.Docs ***@***.***>
Cc: jbaumflek ***@***.***>; Mention ***@***.***>
Subject: Re: [dotnet/AspNetCore.Docs] Add remarks on avoiding inline JS (PR #34431)
@jbaumflek<https://github.com/jbaumflek> ... Ok, so we have our answer from Javier ... don't recommend inline JS at all, and we'll just leave the CSP article as it currently is with its remarks about hashes for custom scripts. Although we didn't end up with inline JS-CSP coverage for this, thanks for your issue because we needed to firm up our recommendation on this subject for the community. Happy New Year! 🎉
—
Reply to this email directly, view it on GitHub<#34431 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AFTJ67YJRXQVIQIVXNZE2BD2JPLEZAVCNFSM6AAAAABUP6ONV6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZVGMZTKMBQG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #34425
Thanks @jbaumflek! 🚀 ... I'll start with this, and I'll ask Steve to review it next week. Let's give him a second to get back into the swing of things now that we're all coming back from the holidays.
BTW ... Ignore my code-fencing activities on the DIFF. I noticed in passing that I didn't have the policy directive cross-link API code-fenced, and I decided to do that here to avoid having to create a new PR. Scroll down to the new Use of inline JavaScript with a CSP section.
I'll keep an 👂 open if you create a product unit issue to discuss this subject with engineering.
Internal previews