fix(core): use appropriate inert document strategy for Firefox & Safari

[petebacondarwin]

Both Firefox and Safari are vulnerable to XSS if we use an inert document
created via document.implementation.createHTMLDocument().

Now we check for those vulnerabilities and then use a DOMParser or XHR
strategy if needed.

Thanks to @cure53 for the heads up on this issue.

[petebacondarwin]

Locally I am getting this warning:

LOG: 'Attempting to configure '__esModule' with descriptor '{"value":true}' on object 'undefined' and got error, giving up: TypeError: Object.defineProperty called on non-object'

I am not sure what is causing this.

[mary-poppins]

The angular.io preview for abc704a is available here.

[mary-poppins]

The angular.io preview for 5c0104d is available here.

[mary-poppins]

The angular.io preview for bef4d33 is available here.

[mhevery]

Please don't do delete it will make window a slow object for the rest of the tests. Just assign undefined

[petebacondarwin]

OK!

[petebacondarwin]

Although that is quite an ironic statement given how slow the tests are generally :-P

[petebacondarwin]

The unit tests are failing on Travis. It seems it is because the inertBodyElement does not have the querySelector method. Is this some different mode than I am running locally?

[mary-poppins]

The angular.io preview for 3c1adac is available here.

[mprobst]

/CC @rjamet

[mprobst]

nit: should be lowerCamelCase, i.e. dom, right? It doesn't have to be a field in the class instance btw, it should be an initialized-once module level field. We just need to take care to initialize after the initial angular load, otherwise we risk getting the wrong DOM.

[petebacondarwin]

I was copying this casing from the previous code: https://github.com/angular/angular/pull/17019/files/3c1adac41b8a17262ae4c2dde7b61370869244f4#diff-4fba2f404f1048cbc43f747e3bc2606dL18. Happy to change this if appropriate.

I was not sure about the benefit of using a module level variable. Throughout the rest of the Angular code base, this getDOM() is used in a variety of ways: as it is needed (not cached at all) - e.g. the Title service; cached per instance - e.g. Meta service; and cached per module. But the majority use the call as required approach and looking at the implementation of this method it is super simple method:

export function getDOM() {
  return _DOM;
}

The downside of caching is that we get the wrong version of the DOM so it seems to me that it is actually safer and easier (and no slower) to just call getDOM() as required.

[mprobst]

Indeed, we don't really have a system here. I think I'd either access it through the getter (which hopefully your optimizer should inline) or from a lazily initialized module variable. YMMV, and I don't have data pointing either way.

[mprobst]

initialize DOM as a module level field here, as you do with inertBodyHelper below

[petebacondarwin]

The only reason I use a module level variable for inertBodyHelper is that it is used in a free standing exported function (rather than a class) and so there was no other container to hold the cached object.

Also, inertBodyHelper creates DOM elements and so it more performance sensitive than the simple implementation of getDOM().

[mprobst]

add a comment on what this does?

[mprobst]

you should document the lifetime of this object, i.e. that we reuse the same document for many sanitization runs has performance implications (creating many documents would be expensive).

[mprobst]

can't you access inertDocument.body?

[mprobst]

can you document which of these cases is the workaround for the FF bug?

[mprobst]

can you document that this is the Safari workaround case?

[mprobst]

document that this is the default and sane way.

[mprobst]

the code below doesn't use createHtmlDocument, fix the docs?

[mprobst]

For my information, are we actually running tests in Safari?

[petebacondarwin]

I think we are:

https://github.com/angular/angular/blob/master/browser-providers.conf.js#L32
and
https://github.com/angular/angular/blob/master/browser-providers.conf.js#L53

[koto]

LGTM security-wise.

[petebacondarwin]

@mprobst I added another commit with changes based on your review.

[mary-poppins]

The angular.io preview for 8691451 is available here.

[mary-poppins]

The angular.io preview for b0a1f13 is available here.

[mprobst]

LGTM.

[mprobst]

Indeed, we don't really have a system here. I think I'd either access it through the getter (which hopefully your optimizer should inline) or from a lazily initialized module variable. YMMV, and I don't have data pointing either way.

[petebacondarwin]

Just got to work out why it doesn't look good to Travis :-(

[mary-poppins]

You can preview 5f1556c at https://pr17019-5f1556c.ngbuilds.io/.

[petebacondarwin]

Unfortunately, it appears these changes affect the size of the CLI bundle due to the increase in the browser-platform package.

[petebacondarwin]

@mhevery / @IgorMinar who needs to OK this?

[mhevery]

approved

[mary-poppins]

You can preview 1cdc1a9 at https://pr17019-1cdc1a9.ngbuilds.io/.

[mary-poppins]

You can preview 69dbd01 at https://pr17019-69dbd01.ngbuilds.io/.

[mary-poppins]

You can preview eebc3c1 at https://pr17019-eebc3c1.ngbuilds.io/.

[mhevery]

http://test/OCL:184883749:BASE:184883778:1518037784622:6aaeb0f0

[IgorMinar]

OMG - 3kb?!?!? this makes me really sad. I suspect that we'll need to redo this in the future. lgtm for now.

[IgorMinar]

@petebacondarwin can you please send a PR against the LTS branch as well? I believe 4.4.x

[petebacondarwin]

LTS version here: #22077

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}