Thanks, @ceford, for the
important extra information—that wasn't immediately obvious to me—and for sharing your thoughts about the impact that the unavailability of a
working com_csp (and allied software) may have on the plans to release J! 4.0 in the near term.
Reading through the
documentation about HTTP Header Management (and putting aside that the feature is optional and there's no requirement to enable the facility unless some website owners see a benefit in using it), it may be a bigger deal for some people than it is for others. Further, the impact may be felt on this forum (and other online technical forums) when we read
... the big security advantage concerning Content Security Policy jumps in when we can use the Header to block all inline JavaScript and inline CSS affecting for example JavaScript event handlers via HTML attributes. So with this browser protection enabled we will block inline JavaScript and inline CSS usage also for your extensions. That protection is not enabled by default but can be enabled by your users.
The impact on the forum will probably be felt when people say, "my
such-and-such doesn't work" (where
such-and-such is the website owner's own use of inline JS/CSS or the use of extensions that haven't been worked in ways to make them compatible with J! 4. This could be a "gotcha".
I understand the appeal that some additional security-related feature will have for many website owners (and that's a good thing) but unless website owners really understand the ins-and-outs of what these additional security functions do and the possible side-effects in using them, this could be a long-term running sore.
Further along in the documentation we see that, by enabling a "strict Content Security Policy" (and who wouldn't want a policy that keeps everything nice and clean from a security viewpoint, eh?),
... the following features will be blocked:
- the execution of JavaScript via the HTML event handlers (onXXX handlers like onClick and similar)
- the execution of in-page JavaScript not passed to the page via the Document API
- the execution of JavaScript code injected into DOM APIs such as eval()
- the usage of inline in-page CSS not passed to the page via the Document API
- the usage of inline CSS using the HTML style attribute
Hmmm ...
So the
"notes" for extension developers, whose products may be jeopardised by these actions and whose reputations may be rattled when their customers write to them with "Your product is broken" requests for support, may be a little ... um ... "complicated", putting it mildly. I don't understand what it means for me, as a website owner or as someone tempted to create J! extensions, what to do or how to navigate my way through the likely problems that will occur by diving into the content security policy feature.
Not saying it's not a good idea but it may be better to hold off on this for the present, release J! 4.0 (without it), let people learn to swim with everything else that comes with J! 4.0, and ensure there are plenty of swimming coaches available to teach novice J! 4 users to become advanced "swimmers".
While a lot of this may sound like "techno-babble" to novices, I understand a good deal about DOMs, and APIs and inline JS and CSS, and HTML event handlers because I've been using these things for the past 15+ years in my webcraft. And while there may be purists among us who eschew the unfettered, unconstrained use of
onClick or
eval() usages and who would advocate that these things shouldn't be allowed in the ways that people use them, sometimes it's easier to "just do it" that way. Yes, I am not someone who normally uses inline "anything" but sometimes ... well, y'know ...
And just because I may use inline "somethings" shouldn't be an opportunity for hard-line purists to condemn me for it.
While the Content Security Policy feature will probably be included with J! 4.0 (although not enabled by default), and it will further add to delaying the release of J!4.0—because we don't know otherwise—it sounds like
forbidden fruit to me.
Just saying, it's a bit too much for some of us to absorb in one hit.