JSINFO moved to <meta> #4242
JSINFO moved to <meta> #4242
Conversation
|
I observe: It could potentially get even simpler:
But then |
inc/template.php
Outdated
| jsinfo(); | ||
| $script .= 'var JSINFO = ' . json_encode($JSINFO, JSON_THROW_ON_ERROR) . ';'; | ||
| $head['script'][] = ['_data' => $script]; | ||
| $head['meta'][] = ['itemprop' => 'JSINFO', 'content' => base64_encode(json_encode($JSINFO, JSON_THROW_ON_ERROR))]; |
There was a problem hiding this comment.
why the base64 encoding?
There was a problem hiding this comment.
Well this PR was just thought as a quick proof-of-concept. I used base64 as kind-of quick means to safely escape the string properly for use in the HTML meta attribute. htmlspecialchars does not escape double quotes, so that would fail when constructing the meta tag using double quotes.
Feel free to suggest anything different.
There was a problem hiding this comment.
Well this PR was just thought as a quick proof-of-concept.
Not to rain on your parade, I appreciate your desire to help, but I can do a quick proof of concept myself - no problem. The bigger task is to bring it to a state where it works well enough to be merged with confidence and for that a quick proof of concept PR is not really helping much.
lib/exe/js.php
Outdated
| // TODO From template.php. Is this neccessary? | ||
| if ($conf['useacl'] && $INPUT->server->str('REMOTE_USER')) { | ||
| echo "var SIG=" . toolbar_signature() . ";"; | ||
| } |
There was a problem hiding this comment.
The JS dispatcher runs without a session and the results are meant to be cacheable. So no user dependent information (like the signature) can be set here.
There was a problem hiding this comment.
Suggestion: Add SIG into JSINFO? See the updated PR.
There was a problem hiding this comment.
I'll have to admit I adapted the function toolbar_signature(). At least the test case will have to be adapted, too.
|
OK, I've made the |
|
You may want to explore using a script tag with base64 encoded src attribute instead, of course that introduces async behaviour to these global variables |
Thanks for the suggestion. I did not think of that. If I understand you correctly, you think of something like That actually passes the W3C validator. However my browser tries to load that resource from https://my-dokuwiki-base/bWVoaA== and fails. Not nice. Using a |
|
@mprins: Thank You for your reply. However my point was: I simply thought passing a bunch of variables (NS, JSINFO, and SIG) could be possible in an EASY way, AVOIDING the neccessity of a nonce. |
JSINFO moved to a HTML
<meta>tag, to allow a strict CSP.Contributes to the discussion at #3788.
CAN work if there are no inline JavaScripts that instantly would need the JSINFO variable.
I have to admit already the DokuWiki default template has inline JavaScript; but does not use the JSINFO variable.
Let's put it this way: When you used an inline script in the past (that gets executed instantly), you could not rely on neither
lib/exe/jquery.phpnorlib/exe/js.php(because these are external and deferred). Now theJSINFOvariable gets added to that list, too.