Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

support CPS mode #893

Closed
IgorMinar opened this Issue · 1 comment

2 participants

@IgorMinar
Owner

https://developer.mozilla.org/en/Security/CSP/Default_CSP_restrictions

there is just one place in parser which needs to be fixed. we can feature detect CPS with:

var CSP_MODE = (function() {
  try {
    return !(new Function("return true")());
  } catch (e) {
    return true;
  }
})();

if detected we are not going to dynamically create getter fn.

@esprehn

I think this might work too:

var CSP_MODE = !(function() {
try {
return eval("true");
} catch (e) {}
})();

which is fewer bytes.

@IgorMinar IgorMinar referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@IgorMinar IgorMinar referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@IgorMinar IgorMinar referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@IgorMinar IgorMinar closed this issue from a commit
@IgorMinar IgorMinar feat($parse): CSP compatibility
CSP (content security policy) forbids apps to use eval or
Function(string) generated functions (among other things). For us to be
compatible, we just need to implement the "getterFn" in $parse without
violating any of these restrictions.

We currently use Function(string) generated functions as a speed
optimization. With this change, it will be possible to opt into the CSP
compatible mode using the ngCsp directive. When this mode is on Angular
will evaluate all expressions up to 30% slower than in non-CSP mode, but
no security violations will be raised.

In order to use this feature put ngCsp directive on the root element of
the application. For example:

<!doctype html>
<html ng-app ng-csp>
  ...
  ...
</html>

Closes #893
2b87c81
@IgorMinar IgorMinar closed this in 2b87c81
@TEHEK TEHEK referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@jesselpalmer jesselpalmer referenced this issue from a commit
@IgorMinar IgorMinar feat($parse): CSP compatibility
CSP (content security policy) forbids apps to use eval or
Function(string) generated functions (among other things). For us to be
compatible, we just need to implement the "getterFn" in $parse without
violating any of these restrictions.

We currently use Function(string) generated functions as a speed
optimization. With this change, it will be possible to opt into the CSP
compatible mode using the ngCsp directive. When this mode is on Angular
will evaluate all expressions up to 30% slower than in non-CSP mode, but
no security violations will be raised.

In order to use this feature put ngCsp directive on the root element of
the application. For example:

<!doctype html>
<html ng-app ng-csp>
  ...
  ...
</html>

Closes #893
6d59687
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.