Monday, 26 January 2015

Inline JavaScript blocks and Content Security Policy (CSP)

Recently I was working with a team that is writing a large Web application using ASP.NET MVC framework. They had written a lot of inline JavaScript like following:


While this does not look all that awful, this kind of code has couple of issues:

Maintainability and Re-usability:


If you have ever worked in a large team you would be able to connect with the feeling you gets when you see a razor view full of multiple script blocks which perform different types of functions. You start to wonder about the re-usability and maintainability of such code blocks - how many bugs could have been prevented and how many development hours could have been saved if folks just reused the code. Lets accept it - having code into common files makes things simpler.

Performance:


Web Servers and CDNs can easily cache the static files. If the JavaScript code is moved to separate JS files then they can be cached and help improve the performance of the web page.

Security:

Content Security Policy is something you should want to apply on your web pages to prevent any Cross Site Scripting and other similar other attacks. Essentially, if you enable CSP in your web application, then you should be able to specify origin of web page content (that includes JS, CSS, fonts etc.) to the browser that it should trust to load and execute. Though in its current state, it does not force any security measures against browser extensions and add-ons, it is still more secure than to write inline script and fret about consequences if someone found a way to inject JavaScript code in your web pages.

So that is that. What happens when you think of implementing this in your standard ASP.NET MVC application? Potential challenges:

1. A major disadvantage is that you can not use server side objects e.g. Messages declared in your resource files, Constants declared in C# classes etc. in the external JavaScript file. You can essentially find a smart way to do that like using Razor template engine outside view to generate the Script file content dynamically but that could end being a little unmanageable in terms of caching and clean up of dynamically generated content.
2. Another disadvantage would be the in scenarios when you need to use dynamic views in incremental fashion. You may have to switch to JsonResult instead of ViewResult to better manage it through external Javascript file.

Tools:
In order to overcome those challenges, you should move to client side MVVM programming model. There are plenty of tools available now that make such programming model easy e.g. AngularJS, KnockoutJS. Both of these fit well inside ASP.NET MVC application. In order to ease the pain of handling unstructured contracts and data types, you could also leverage a wonderful tool released by Microsoft called TypeScript. Integration between TypeScript and popular client side MVVM programming tools is already made easy by the enthusiastic community - Example # 1, Example # 2

Peace!!

1 comment:

  1. In my opinion, great content is above all. So focusing on creating good quality content is the solution.


    Web Hosting Melbourne

    ReplyDelete