archive-gh-me/systemjs
1
0
Fork 0
mirror of https://github.com/systemjs/systemjs.git synced 2026-01-25 14:57:38 +00:00
Code Issues Projects Releases Wiki Activity

CSP global note

Browse Source
This commit is contained in:
Guy Bedford 2015-09-05 14:40:51 +02:00
parent f8922eecb9
commit cc38ed243d
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/module-formats.md
View File

@ -95,7 +95,7 @@ _CommonJS is loaded via XHR making it non-[CSP](http://www.html5rocks.com/en/tut
When executing AMD, the global `module`, `exports` are temporarily removed, and the global `define` and `require` are set to the SystemJS AMD functions.
_By default AMD modules are loaded via `<script>` tag injection making them [CSP](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)-compatible._
_By default AMD modules are loaded via `<script>` tag injection making them [CSP](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)-compatible, provided that modules that are AMD are indicated [via meta](#module-formats) so that SystemJS knows to skip format detection and load them with script tags._
#### RequireJS Support
@ -196,7 +196,7 @@ System.import('vendor/angular-ui-router.js');
In the above scenario, a globally scoped `angular` will be set to the module value for the Angular ES6 module only for the duration of execution of the global plugin. They will be reverted to whatever they where before after execution, if they didn't exist they're removed. This doesn't influence the globals that might already be generated by the referenced package.
> **The globals meta-configuration option is only available for the `global` and `cjs` module formats.** This is because these are the only module formats that are not [CSP](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)-compatible, as there is no CSP-compliant way to implement this configuration.
> **The globals meta-configuration option is only available for the `global` and `cjs` module formats.** as these are the only formats that are source-code-transformation based.
Referenced packages automatically becomes dependencies.
@ -208,3 +208,15 @@ This is a member expression on the global object to be taken as the exports of t
For example, `angular` or `jQuery.fn.pluginName`.
> Globals can be loaded in a way that is CSP-compatible by setting their `format` and `exports` metadata when not setting any `globals` metadata. SystemJS then knows it can use script tag injection for this case. For example, Google Analytics can be loaded without requiring CORS or CSP via setting:
```javascript
System.config({
meta: {
'https://www.google-analytics.com/analytics.js': {
exports: 'ga',
format: 'global'
}
}
});
```