вт, 28 июл. 2020 г. в 16:55, Christopher Schultz <ch...@christopherschultz.net>: > > All, > > I was looking at this PR[1] and wondering why we have huge swaths of > CSS and HTML in a Java source file, instead of using e.g. JSP or some > other content-generation framework.
I remember that I once read some praise for being able to use the Manager web application when there is no Jasper and no JSP compiler available. It was more than 5 years ago and I do not remember the details - maybe it was some small system with limited hardware. The Manager app does use JSPs nowadays, not for some unimportant pages: listing of sessions and listing attributes of a session. > I know, I hate JSP, too, but having large blocks of HTML and CSS in > Java strings is just ... awful. > > Also, is there a particular reason we are using embedded CSS in the > pages instead of an external CSS file? Originally it was rather small. It grows with time. A separate file needs a license header, so the size will grow. > Ultimately, it would be a good idea to move all CSS and even styles > into a separate CSS file so we can tighten-up the Content Security > Policy on the manager app. This can help prevent attacks if there > happens to be some kind of XSS vulnerability hiding in there somewhere. I do not get how having a separate file mappers with Content Security Policy. > Any objections to evicting the CSS to begin with? No objection, if you want it. We already have image files. Thus, why not? > [1] https://github.com/apache/tomcat/pull/327 An odd PR. I see that it makes some visual changes, but there is no description nor discussion what the actual changes are. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
