Docs: Clarifying the CSP-friendly replacement for <body onload="XXX">.

chrome/common/extensions/docs/static/contentSecurityPolicy.html

 <div id="pageData-name" class="pageData">Content Security Policy (CSP)</div>
 <div id="pageData-showTOC" class="pageData">true</div>
 
 <p>
   In order to mitigate a large class of potental cross-site scripting issues,
   Chrome's extension system has incorporated the general concept of
   <a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">
     <strong>Content Security Policy (CSP)</strong>
   </a>. This introduces some fairly strict policies that will make extensions
   more secure by default, and provides you with the ability to create and
@@ skipping 75 matching lines @@
         // do something awesome!
       }
 
       function totallyAwesome() {
         // do something TOTALLY awesome!
       }
 
       function clickHandler(element) {
         setTimeout(<strong>"awesome(); totallyAwesome()"</strong>, 1000);
       }
+
+      function main() {
+        // Initialization work goes here.
+      }
     &lt;/script&gt;
   &lt;/head&gt;
-  &lt;body&gt;
+  &lt;body onload="main();"&gt;
     &lt;button <strong>onclick="clickHandler(this)"</strong>&gt;
       Click for awesomeness!
     &lt;/button&gt;
   &lt;/body&gt;
 &lt;/html&gt;</pre>
 
 <p>
   Three things will need to change in order to make this work the way you expect
   it to:
 </p>
 
 <ul>
   <li>
     The <code>clickHandler</code> definition needs to move into an external
     JavaScript file (<code>popup.js</code> would be a good target).
   </li>
   <li>
-    The inline event handler definition must be rewritten in terms of
-    <code>addEventListener</code> and extracted into <code>popup.js</code>.
+    <p>The inline event handler definitions must be rewritten in terms of

[Aaron Boodman, 2012/08/10 19:21:11]

Another easy thing to do is just include the script at the end of the document:

// foo.html
<head>
  <link rel="stylesheet" href="foo.css">
</head>
<body>
  ... stuff here ...
  <script src="foo.js"></script>
</body>
</html>

+    <code>addEventListener</code> and extracted into <code>popup.js</code>.</p>
+    <p>If you're currently kicking off your program's execution via code like
+    <code>&lt;body onload="main();"&gt;</code>, consider replacing it by hooking
+    into the document's <code>DOMContentLoaded</code> event, or the window's
+    <code>load</code> event, depending on your needs. Below we'll use the
+    former, as it generally triggers more quickly.</p>
   </li>
   <li>
     The <code>setTimeout</code> call will need to be rewritten to avoid
     converting the string <code>"awesome(); totallyAwesome()"</code> into
     JavaScript for execution.
   </li>
 </ul>
 
 <p>
   Those changes might look something like the following:
 </p>
 
 <pre>popup.js:
 =========
 
 function awesome() {
   // Do something awesome!
 }
 
 function totallyAwesome() {
   // do something TOTALLY awesome!
 }
 
-<strong>
-function awesomeTask() {
+<strong>function awesomeTask() {
   awesome();
   totallyAwesome();
-}
-</strong>
+}</strong>
 
 function clickHandler(e) {
   setTimeout(<strong>awesomeTask</strong>, 1000);
 }
 
+function main() {
+  // Initialization work goes here.
+}
+
 // Add event listeners once the DOM has fully loaded by listening for the
 // `DOMContentLoaded` event on the document, and adding your listeners to
 // specific elements when it triggers.
-document.addEventListener('DOMContentLoaded', function () {
+<strong>document.addEventListener('DOMContentLoaded', function () {</strong>
   document.querySelector('button').addEventListener('click', clickHandler);
+  main();
 });
-
-popup.html:
+</pre>
+<pre>popup.html:
 ===========
 
 &lt;!doctype html&gt;
 &lt;html&gt;
   &lt;head&gt;
     &lt;title&gt;My Awesome Popup!&lt;/title&gt;
     &lt;script <strong>src="popup.js"</strong>&gt;&lt;/script&gt;
   &lt;/head&gt;
   &lt;body&gt;
     &lt;button&gt;Click for awesomeness!&lt;/button&gt;
@@ skipping 95 matching lines @@
 
 <p>
   You may, of course, tighten this policy to whatever extent your extension
   allows in order to increase security at the expense of convenience. To specify
   that your extension can only load resources of <em>any</em> type (images, etc)
   from its own package, for example, a policy of <code>default-src 'self'</code>
   would be appropriate. The <a href="samples.html#mappy">Mappy</a> sample
   extension is a good example of an extension that's been locked down above and
   beyond the defaults.
 </p>