[UUF] Removing creation of inline JS script tags upon calling sendToClient()

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[UUF] Removing creation of inline JS script tags upon calling sendToClient()

SajithAR Ariyarathna
Hi All,

We are in the process of doing $subject.

# What is sendToClient() function?
Its a server-side JS function provided by UUF that can be used to send a server-side value to the client-side.

function onGet(env) {
sendToClient("contextPath", env.contextPath);
}

Which will produce following inline-script
<script type="text/javascript">var contextPath="/portal";</script>

However, we are hoping to set the Content-Security-Policy header to disable inline-JS scripts as a security measure against XSS vulnerabilities (as suggested by the security team).
Content-Security-Policy: upgrade-insecure-requests, default-src 'self', frame-ancestors 'none'
So setting the Content-Security-Policy header to above will break the sendToClient functionality.

# Proposing solution
Create a <meta> tag in the page header that contains all the values sent from server-side.

<meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
  • Only one <meta> tag will be created.
  • All the values sent from server-side will be composed into a JSON, and that JSON string will be encoded to Base64.
  • In order to access a value, webapp developer has to use the UUFClient.
    • e.g. UUFClient.fromServer("contextPath") which will return "/portal"
  • Please note that, this will be a breaking change for existing UUF apps/component that utilizes sendToClient() function.
WDYT?

Thanks.
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [UUF] Removing creation of inline JS script tags upon calling sendToClient()

SajithAR Ariyarathna
Hi Jerad,

On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <[hidden email]> wrote:
Hi Sajith,

As for the offline discussion we had. IMO I feel it's ok to use <meta> tag for it. But have some minor suggestions, please see the example below.

<meta property="uuf:data" data-from-server="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
Based on your suggestion, I like to propose following meta tag.
<meta property="uuf:data" value="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0="> 
IMO, using "value" instead of "data-from-server" gives a more general meta tag.
 
Cheers,

On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <[hidden email]> wrote:
Hi All,

We are in the process of doing $subject.

# What is sendToClient() function?
Its a server-side JS function provided by UUF that can be used to send a server-side value to the client-side.

function onGet(env) {
sendToClient("contextPath", env.contextPath);
}

Which will produce following inline-script
<script type="text/javascript">var contextPath="/portal";</script>

However, we are hoping to set the Content-Security-Policy header to disable inline-JS scripts as a security measure against XSS vulnerabilities (as suggested by the security team).
Content-Security-Policy: upgrade-insecure-requests, default-src 'self', frame-ancestors 'none'
So setting the Content-Security-Policy header to above will break the sendToClient functionality.

# Proposing solution
Create a <meta> tag in the page header that contains all the values sent from server-side.

<meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
  • Only one <meta> tag will be created.
  • All the values sent from server-side will be composed into a JSON, and that JSON string will be encoded to Base64.
  • In order to access a value, webapp developer has to use the UUFClient.
    • e.g. UUFClient.fromServer("contextPath") which will return "/portal"
  • Please note that, this will be a breaking change for existing UUF apps/component that utilizes sendToClient() function.
WDYT?

Thanks.
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/




--
Jerad Rutnam
Senior Software Engineer

WSO2 Inc.
lean | enterprise | middleware
M : +94 77 959 1609 | E : [hidden email] | W : www.wso2.com





--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [UUF] Removing creation of inline JS script tags upon calling sendToClient()

SajithAR Ariyarathna
Hi Jerad,

On Wed, May 31, 2017 at 5:12 PM, Jerad Rutnam <[hidden email]> wrote:
Hi Sajith,

"value" attribute has a direct coupling with "name" attribute. That's why I thought of changing it. But in that case I would suggest to use "content" attribute instead, as other vendors use,

e.g. <meta property="og:title" content="Open Graph META Tags"/>
+1 for "content" 

Thanks.


In other hand using "data-*" attribute in <meta> tags is not a valid W3C standard. But I saw in an article it says that even though it is not valid as per W3C spec, still it has a meaning that it stores app data instead of HTML document metadata.

Cheers,

On Wed, May 31, 2017 at 4:50 PM, SajithAR Ariyarathna <[hidden email]> wrote:
Hi Jerad,

On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <[hidden email]> wrote:
Hi Sajith,

As for the offline discussion we had. IMO I feel it's ok to use <meta> tag for it. But have some minor suggestions, please see the example below.

<meta property="uuf:data" data-from-server="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
Based on your suggestion, I like to propose following meta tag.
<meta property="uuf:data" value="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0="> 
IMO, using "value" instead of "data-from-server" gives a more general meta tag.
 
Cheers,

On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <[hidden email]> wrote:
Hi All,

We are in the process of doing $subject.

# What is sendToClient() function?
Its a server-side JS function provided by UUF that can be used to send a server-side value to the client-side.

function onGet(env) {
sendToClient("contextPath", env.contextPath);
}

Which will produce following inline-script
<script type="text/javascript">var contextPath="/portal";</script>

However, we are hoping to set the Content-Security-Policy header to disable inline-JS scripts as a security measure against XSS vulnerabilities (as suggested by the security team).
Content-Security-Policy: upgrade-insecure-requests, default-src 'self', frame-ancestors 'none'
So setting the Content-Security-Policy header to above will break the sendToClient functionality.

# Proposing solution
Create a <meta> tag in the page header that contains all the values sent from server-side.

<meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
  • Only one <meta> tag will be created.
  • All the values sent from server-side will be composed into a JSON, and that JSON string will be encoded to Base64.
  • In order to access a value, webapp developer has to use the UUFClient.
    • e.g. UUFClient.fromServer("contextPath") which will return "/portal"
  • Please note that, this will be a breaking change for existing UUF apps/component that utilizes sendToClient() function.
WDYT?

Thanks.
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/




--
Jerad Rutnam
Senior Software Engineer

WSO2 Inc.
lean | enterprise | middleware
M : +94 77 959 1609 | E : [hidden email] | W : www.wso2.com





--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/




--
Jerad Rutnam
Senior Software Engineer

WSO2 Inc.
lean | enterprise | middleware
M : +94 77 959 1609 | E : [hidden email] | W : www.wso2.com





--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [UUF] Removing creation of inline JS script tags upon calling sendToClient()

Dakshika Jayathilaka
In reply to this post by SajithAR Ariyarathna
Hi All,

IMHO if we are going forward with meta tag we need to think about HTML validation as well. AFAIK according to the specification, we can't use value or data attrib with meta tags[1]. +1 for using content attrib.


Dakshika Jayathilaka
PMC Member & Committer of Apache Stratos
Associate Technical Lead
WSO2, Inc.
lean.enterprise.middleware
0771100911

On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <[hidden email]> wrote:
Hi Sajith,

As for the offline discussion we had. IMO I feel it's ok to use <meta> tag for it. But have some minor suggestions, please see the example below.

<meta property="uuf:data" data-from-server="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">

Cheers,

On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <[hidden email]> wrote:
Hi All,

We are in the process of doing $subject.

# What is sendToClient() function?
Its a server-side JS function provided by UUF that can be used to send a server-side value to the client-side.

function onGet(env) {
sendToClient("contextPath", env.contextPath);
}

Which will produce following inline-script
<script type="text/javascript">var contextPath="/portal";</script>

However, we are hoping to set the Content-Security-Policy header to disable inline-JS scripts as a security measure against XSS vulnerabilities (as suggested by the security team).
Content-Security-Policy: upgrade-insecure-requests, default-src 'self', frame-ancestors 'none'
So setting the Content-Security-Policy header to above will break the sendToClient functionality.

# Proposing solution
Create a <meta> tag in the page header that contains all the values sent from server-side.

<meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
  • Only one <meta> tag will be created.
  • All the values sent from server-side will be composed into a JSON, and that JSON string will be encoded to Base64.
  • In order to access a value, webapp developer has to use the UUFClient.
    • e.g. UUFClient.fromServer("contextPath") which will return "/portal"
  • Please note that, this will be a breaking change for existing UUF apps/component that utilizes sendToClient() function.
WDYT?

Thanks.
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/




--
Jerad Rutnam
Senior Software Engineer

WSO2 Inc.
lean | enterprise | middleware
M : +94 77 959 1609 | E : [hidden email] | W : www.wso2.com




_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [UUF] Removing creation of inline JS script tags upon calling sendToClient()

Rasika Perera
+1 for <meta property="uuf:data" content="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">. 

AFAIK there's no hard limitation in meta tags unless search engines cut off at some point for the SEO.

On Wed, May 31, 2017 at 5:18 PM, Dakshika Jayathilaka <[hidden email]> wrote:
Hi All,

IMHO if we are going forward with meta tag we need to think about HTML validation as well. AFAIK according to the specification, we can't use value or data attrib with meta tags[1]. +1 for using content attrib.


Dakshika Jayathilaka
PMC Member & Committer of Apache Stratos
Associate Technical Lead
WSO2, Inc.
lean.enterprise.middleware
0771100911

On Wed, May 31, 2017 at 4:05 PM, Jerad Rutnam <[hidden email]> wrote:
Hi Sajith,

As for the offline discussion we had. IMO I feel it's ok to use <meta> tag for it. But have some minor suggestions, please see the example below.

<meta property="uuf:data" data-from-server="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">

Cheers,

On Wed, May 31, 2017 at 1:04 PM, SajithAR Ariyarathna <[hidden email]> wrote:
Hi All,

We are in the process of doing $subject.

# What is sendToClient() function?
Its a server-side JS function provided by UUF that can be used to send a server-side value to the client-side.

function onGet(env) {
sendToClient("contextPath", env.contextPath);
}

Which will produce following inline-script
<script type="text/javascript">var contextPath="/portal";</script>

However, we are hoping to set the Content-Security-Policy header to disable inline-JS scripts as a security measure against XSS vulnerabilities (as suggested by the security team).
Content-Security-Policy: upgrade-insecure-requests, default-src 'self', frame-ancestors 'none'
So setting the Content-Security-Policy header to above will break the sendToClient functionality.

# Proposing solution
Create a <meta> tag in the page header that contains all the values sent from server-side.

<meta name="uuf/from-server" content="ew0KIGNvbnRleHRQYXRoOiAiL3BvcnRhbCINCn0=">
  • Only one <meta> tag will be created.
  • All the values sent from server-side will be composed into a JSON, and that JSON string will be encoded to Base64.
  • In order to access a value, webapp developer has to use the UUFClient.
    • e.g. UUFClient.fromServer("contextPath") which will return "/portal"
  • Please note that, this will be a breaking change for existing UUF apps/component that utilizes sendToClient() function.
WDYT?

Thanks.
--
Sajith Janaprasad Ariyarathna
Senior Software Engineer; WSO2, Inc.;  http://wso2.com/




--
Jerad Rutnam
Senior Software Engineer

WSO2 Inc.
lean | enterprise | middleware
M : +94 77 959 1609 | E : [hidden email] | W : www.wso2.com






--
With Regards,

Rasika Perera
Senior Software Engineer



WSO2 Inc. www.wso2.com
lean.enterprise.middleware

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Loading...