Closed
Description
Inline JavaScript (and CSS) is a security and performance issue. Content-Security-Policy exists to tell browsers not to execute inline JavaScript.
The Web Profiler Toolbar however uses inline JavaScript. Why? It would also be possible to add a script tag to load the missing JavaScript.
Informations can be passed from the server to the JavaScript code easily without inline JavaScript:
<script class="embedded-json-data" type="application/json" data-name="myActiveProfile">
{"id": 123, "name": "ido", "language": "en"}
</script>and in your JavaScrip (angular here)t:
var selector = 'script.embedded-json-data[data-name="' + name + '"]',
node = document.querySelector(selector),
data = angular.fromJson(node.innerHTML);