Which @angular/* package(s) are the source of the bug?
common/http
Is this a regression?
No
Description
HttpClient.jsonp() accepts a caller-provided URL and loads it as a JSONP script resource.
If an application enables JSONP support and passes attacker-controlled input directly into http.jsonp(), for example from the current page URL:
const jsonpUrl = new URL(location.href).searchParams.get('jsonpUrl');
this.http.jsonp(jsonpUrl!, 'callback').subscribe();then a crafted link can cause the browser to execute an attacker-controlled JSONP resource in the Angular application context.
For example, if jsonpUrl is a data:text/javascript,... resource, the loaded script executes before invoking Angular’s generated JSONP callback.
Angular should reject or restrict unsafe JSONP resource URLs before creating the script element. At minimum, non-HTTP(S) protocols such as data:, blob:, javascript:, file:, and filesystem: should not be accepted as JSONP script resources.
Please provide a link to a minimal reproduction of the bug
This issue was previously reported to the Google VRP. The original PoV and discussion can be seen here, if accessible: https://issuetracker.google.com/u/1/issues/510947871
Anything else?
If we consider Angular's model, which is secure by default, I believe it shouldn't allow it unless we explicitly want to perform a bypass.
Which @angular/* package(s) are the source of the bug?
common/http
Is this a regression?
No
Description
HttpClient.jsonp()accepts a caller-provided URL and loads it as a JSONP script resource.If an application enables JSONP support and passes attacker-controlled input directly into
http.jsonp(), for example from the current page URL:then a crafted link can cause the browser to execute an attacker-controlled JSONP resource in the Angular application context.
For example, if
jsonpUrlis adata:text/javascript,...resource, the loaded script executes before invoking Angular’s generated JSONP callback.Angular should reject or restrict unsafe JSONP resource URLs before creating the script element. At minimum, non-HTTP(S) protocols such as
data:,blob:,javascript:,file:, andfilesystem:should not be accepted as JSONP script resources.Please provide a link to a minimal reproduction of the bug
This issue was previously reported to the Google VRP. The original PoV and discussion can be seen here, if accessible: https://issuetracker.google.com/u/1/issues/510947871
Anything else?
If we consider Angular's model, which is secure by default, I believe it shouldn't allow it unless we explicitly want to perform a bypass.