(developer.mozilla.org)

217 points palmfacehn | 2 comments | 02 Sep 25 17:16 UTC | HN request time: 0.001s | source

Show context

alserio ◴[02 Sep 25 18:34 UTC] No.45107190[source]▶

>>45106049 (OP) #

I was wondering, are template elements a good place to store json data in the page to be consumed by js?

replies(4): >>45107213 #>>45107278 #>>45108146 #>>45108459 #

yuchi ◴[02 Sep 25 18:36 UTC] No.45107213[source]▶

>>45107190 #

As good as a script element with type application/json.

replies(2): >>45107246 #>>45108038 #

alserio ◴[02 Sep 25 18:39 UTC] No.45107246[source]▶

>>45107213 #

well one difference is that application/json scripts are still subject to CSP policies

replies(1): >>45107365 #

unilynx ◴[02 Sep 25 18:48 UTC] No.45107365{3}[source]▶

>>45107246 #

How so? I don't remember ever having seen issues with this. If anything CSP steers you towards this (instead of inline scripts directly assigning to JS variables)

replies(1): >>45107777 #

alserio ◴[02 Sep 25 19:20 UTC] No.45107777{4}[source]▶

>>45107365 #

I thought I knew but it seems that the CSP story is unclear. I couldn't find an authoritative source for either position

replies(1): >>45108808 #

1. SahAssar ◴[02 Sep 25 20:46 UTC] No.45108808{5}[source]▶

>>45107777 #

CSP blocks execution/inclusion, but since json does not execute and any json mimetype will not do execution there is no problem.

Any CSP-allowed other script can read that application/json script tag and decode it, but it is no different than reading any other data it has access to like any other html element or attribute.

replies(1): >>45108885 #

2. alserio ◴[02 Sep 25 20:52 UTC] No.45108885[source]▶

>>45108808 (TP) #

That makes sense, thank you

↑

<template>: The Content Template element