support CPS mode #893

Closed
IgorMinar opened this Issue Apr 20, 2012 · 1 comment

2 participants

@IgorMinar
Angular member

https://developer.mozilla.org/en/Security/CSP/Default_CSP_restrictions

there is just one place in parser which needs to be fixed. we can feature detect CPS with:

var CSP_MODE = (function() {
  try {
    return !(new Function("return true")());
  } catch (e) {
    return true;
  }
})();

if detected we are not going to dynamically create getter fn.

@esprehn

I think this might work too:

var CSP_MODE = !(function() {
try {
return eval("true");
} catch (e) {}
})();

which is fewer bytes.

@IgorMinar IgorMinar added a commit that closed this issue Apr 28, 2012
@IgorMinar IgorMinar feat($parse): CSP compatibility
CSP (content security policy) forbids apps to use eval or
Function(string) generated functions (among other things). For us to be
compatible, we just need to implement the "getterFn" in $parse without
violating any of these restrictions.

We currently use Function(string) generated functions as a speed
optimization. With this change, it will be possible to opt into the CSP
compatible mode using the ngCsp directive. When this mode is on Angular
will evaluate all expressions up to 30% slower than in non-CSP mode, but
no security violations will be raised.

In order to use this feature put ngCsp directive on the root element of
the application. For example:

<!doctype html>
<html ng-app ng-csp>
  ...
  ...
</html>

Closes #893
2b87c81
@IgorMinar IgorMinar closed this in 2b87c81 Apr 28, 2012
@jesselpalmer jesselpalmer pushed a commit that referenced this issue Sep 24, 2014
@IgorMinar IgorMinar feat($parse): CSP compatibility
CSP (content security policy) forbids apps to use eval or
Function(string) generated functions (among other things). For us to be
compatible, we just need to implement the "getterFn" in $parse without
violating any of these restrictions.

We currently use Function(string) generated functions as a speed
optimization. With this change, it will be possible to opt into the CSP
compatible mode using the ngCsp directive. When this mode is on Angular
will evaluate all expressions up to 30% slower than in non-CSP mode, but
no security violations will be raised.

In order to use this feature put ngCsp directive on the root element of
the application. For example:

<!doctype html>
<html ng-app ng-csp>
  ...
  ...
</html>

Closes #893
6d59687
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment