Does anyone knows a nice ressource which explains why inline scripts/styles are a bad idea?
There were some nice stickers on #36C3 about it, but I believe they didn't had a explanation as well.
Also, are security risks involved, when allowing "data:" links in a Content-Security-Policy Header?
@The_Observer6955 I have no idea whether there is a security issue with it, but my main reason to avoid inline JS and CSS is that you have a harder time finding where you wanted to change something and can't reuse the same code in multiple objects without copy-pasting, like you can with CSS classes where the actual style info is somewhere else, or JS functions
@The_Observer6955 i don't know of any security concern regarding inline styles. there were some ways to put js into css, not sure if that's still a thing.
for me inline styles are mostly a sign that css isn't used efficiently. chances are, you want to potentially reuse that styling and give it a specific meaning.
then there is stuff like Bootstrap, which uses meaningless classes as replacement for inline styles. kinda ruins what css is supposed to do i think..
Thanks for your answers. That are valid reasons as well.
My Use-Case is selfhosting some applications, which I wanted to secure via the CSP header, which can prevent for example XSS attacks through telling the browser that it shouldn't execute inline-scripts. I am currently filling issues for all the applications which use these themself, which prevents me from setting the header. I hoped there would be a website I can link, which explains everything for me. 😃
It is to make it work, but as the name says, it is unsafe and agains what the CSP script-src is there for. without 'unsafe-inline' XSS Attacks can be prevented.
I was just looking for a nice ressource which explains this in a easy way, to hand in to the developers and make them remove the inline scripts and styles.
That's what I was looking for. Thanks!
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!