Skip to content

Improve the ScriptTagHelper to support CSP & ordered, async downloading inc. fallback #4817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DamianEdwards opened this issue Mar 16, 2016 · 8 comments
Closed

Improve the ScriptTagHelper to support CSP & ordered, async downloading inc. fallback #4817

DamianEdwards opened this issue Mar 16, 2016 · 8 comments
Assignees
@danroth27
Labels
area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates enhancement This issue represents an ask for new feature or an enhancement to an existing one ✔️ Resolution: Duplicate Resolved as a duplicate of another issue Needs: Spec Indicates that a spec defining user experience is required
Milestone
3.0.0-preview3

Comments

@DamianEdwards
Copy link
Member

It appears our use of document.write in the ScriptTagHelper to dynamically load JS files in to the browser (the CDN fallback feature) causes issues when trying to use Content Security Policy.

It appears this could be somewhat addressed by switching to dynamically creating and appending script elements to the DOM (assuming the CSP policy that enables inline script blocks is enabled), however that results in the scripts being loaded asynchronously to the page rendering, which potentially causes errors in the page (e.g. if the scripts now run out of order to how they were declared).

This article is a good write-up of the various methods that can be used to load scripts while controlling (or not) their execution order and they're affect on rendering.

We should investigate whether we could enhance the ScriptTagHelper to better support these techniques, along with CSP, e.g.:

  • Have a way to toggle the method used to do the script loading, or just move to dynamically modifying the DOM and ignore the older browsers for which it introduces issues
  • Honor the async attribute on the script element when dynamically loading the fallback script, maybe even use it as part of the download method toggle (always use document.write unless async attribute is explicitly set, or something)
  • Maybe add a new attribute that forces scripts to be dynamically fetched async but with order preserved by the browser using these techniques, and use it combination with the above
  • Support deferring all scripts to the end of the page (or some marker element) where they can then be properly downloaded and executed in order, with fallbacks if necessary, using "all the tricks known to web developer-kind", or something
  • Give up and go shopping

Possible example that would render inline JS to do async downloads of the scripts while preserving their declared execution order:

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.1/jquery.min.js"
    asp-fallback-src="~/lib/jquery/jquery.min.js"
    async asp-preserve-load-order></script>
<script src="~/js/needs-jquery.js" async asp-preserve-load-order></script>
@DamianEdwards DamianEdwards changed the title Improve the ScriptTagHelper that does ordered, async downloading inc. fallback Improve the ScriptTagHelper to support CSP & ordered, async downloading inc. fallback Mar 16, 2016
@danroth27
Copy link
Member

@DamianEdwards I assume this isn't for RTW?

@DamianEdwards
Copy link
Member Author

Ya.

@jstangroome
Copy link

Ideally, any possible solution that relies on inline scripts should discourage the use of the unsafe- CSP directives by supporting either CSP script-src nonces or hashes or both.

@martincostello
Copy link
Member

Allowing the user to specify the nonce via an attribute (asp-fallback-nonce maybe?) and rendering that attribute in the generated script would unblock the CSP use-case.

@brockallen
Copy link

This is also an issue for the validation summary emitting style="display:none".

@m17kea
Copy link

m17kea commented Jun 13, 2017
edited
Loading

Hi,

What is the solution to validation summary emitting style="display:none" that brock mentions above?

Thanks

Mike

@danielgreen
Copy link

Instead of document.write, could the tag helper emit document.body.insertAjacentHTML('beforeend', ... ) or similar, to allow the scenario where the script tag is contained within an Ajax response (e.g. when calling jQuery.load)?

@aspnet-hello aspnet-hello transferred this issue from aspnet/Mvc Dec 13, 2018
@aspnet-hello aspnet-hello added this to the 3.0.0-preview2 milestone Dec 13, 2018
@aspnet-hello aspnet-hello added 0 - Backlog area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates enhancement This issue represents an ask for new feature or an enhancement to an existing one labels Dec 13, 2018
@mkArtakMSFT mkArtakMSFT added the Needs: Spec Indicates that a spec defining user experience is required label Jan 15, 2019
@danroth27
Copy link
Member

Let's handle this as part of our broader CSP story tracked by #6001

@danroth27 danroth27 added the ✔️ Resolution: Duplicate Resolved as a duplicate of another issue label Jan 15, 2019
@ulrichb ulrichb mentioned this issue Mar 19, 2019
Open
@ghost ghost locked as resolved and limited conversation to collaborators Dec 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@danroth27 danroth27

Labels
area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates enhancement This issue represents an ask for new feature or an enhancement to an existing one ✔️ Resolution: Duplicate Resolved as a duplicate of another issue Needs: Spec Indicates that a spec defining user experience is required
Projects
None yet
Milestone
3.0.0-preview3
Development

No branches or pull requests
9 participants
@jstangroome @DamianEdwards @brockallen @danielgreen @martincostello @danroth27 @m17kea @mkArtakMSFT @aspnet-hello