inline javascript may cause an error if the content policy restricts it

[sclausen]

so I think a blank href may be the best option.

In Chrome I got:

Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

[brianfeister]

@sclausen, the reason that the inline javascript is there is because of the UI problem of empty href attribute being invalid. If you want to fix it, you'll need some kind of noop type of model, as it stands this solution does fix the problem, but it also creates a new one.

[chodanics]

Any resolution to this issue? Is it possible to completely remove the href declaration to avoid both issues.. Looking to fix the policy error flooding the console log.

[brianfeister]

@chodanics completely removing the href creates a number of different problems so that is not a valid solution. Honestly I'm open to other ideas if you have different ones, but for now I don't see a fix coming since removing href altogether is not going to happen.

[brianfeister]

I'm closing this for now since it has unusable code attached. @chodanics, you can open a new PR with new code if you come up with something.

[Sjors]

The solution used by ui.bootstrap is to replace href="javascript:void(0)" with ng-click="$event.preventDefault()". I'll make a new PR for that.

[sclausen]

The problem is, an a-tag without a href isn't valid anymore.