jsAttributesHandler only applied to scripts with a src location
#1835
Comments
|
in addition the attributes do not appear to end up on the |
|
I can confirm that this works:
…but this doesn't:
The framework should make it frictionless to implement an appropriate CSP for any given page, so a pull request to improve this situation is certainly welcome 🙂 |
|
hmm in our project that toWidgt julius does not turn up with jsAttributesHandler's values. I'll try make a small project to demo what I mean |
|
That's useful context, and yes, a small demo would be a good idea. Here are my notes from a few years ago which you may also find useful. |
|
Yep I actually started from your blog 😊 it was very useful |
|
@jezen i've written a test that fails to add the attributes to the script the result is |
|
and adding the attributes to non-loc scripts fixes it dten@a1ea911 |
|
I'm happy to do a PR for this if seems acceptable |
|
@dten Of course, that would be welcome. |
This very much follows on from this other ticket from some years back btw #1621
We are trying to add a CSP nonce value to the script produced by widgets with julius, but the attributes provided by
jsAttributesHandlerare only applied if that scripts has a
srcLoc, which is only possible ifaddStaticContentwas used to cache that script somewhere.The related code is here https://github.com/dten/yesod/blob/master/yesod-core/src/Yesod/Core/Class/Yesod.hs#L596
it looks like this MR was the first to add the attributes to only the ones with a location #1308
So as far as I can see at the moment there's no way to get attributes to the inline script created from julius and so no way to add a csp nonce.
I'm proposing adding the same
jsAttrsto the inline script also (as the docs seem to claim would happen) and happy to do an MR if that's acceptable. My worry is that would be a change for anyone who was only caching some of the scripts.The text was updated successfully, but these errors were encountered: