CSP support #3911
Comments
|
There are a 3 other templates with anchor elements that have blank href attributes: pagination/pager.html Not sure if that's legit or we should do the same on those templates. |
|
Blank href's are generall fine. Only when they have interactive (link or button for example) children things may go south. |
|
So if I understand correctly, the preferred approach would be: If the a element has a click handler, use: Otherwise use: |
|
I'm actually not entirely sure about your first example (time for a plunkr?). But this is what I was talking about: |
|
This question comes from the recent commit @wesleycho made to make the accordion and typeahead CPS compliant. For the accordion group template, there is a handler on the ng-click and the end result now looks like so: The typeahead-match was changed to look like so: My confusion is, if there is no handler on the ng-click, would the correct fix for the typeahead-match be: The reason I ask, the 3 templates I mentioned above have the anchor element as: pagination/pager.html pagination/pagination.html tabs/tab.html Which seems to me to fall into the same scenario as the accordion-group. Or am I totally missing the point? I would just like to see this handled consistently... |
|
Good catch @RobJacobs - I missed that particular resolution. I think I would lean towards the empty href solution for performance reasons |
|
I'm not sure what the best approach is, the javascript:void(0) was added to fix the issue discussed in #3911 |
|
I think we need to do |
|
I believe we are fine currently with this issue, feel free to bring up any other CSP issues in new issues. |
There has been a request for CSP support, and it seems like a reasonable feature request to split into a separate issue.
This needs to be investigated to see what changes would be needed to support this.
The text was updated successfully, but these errors were encountered: