Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security guide #1760

Open
wants to merge 3 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@chrisvfritz
Copy link
Member

chrisvfritz commented Aug 22, 2018

No description provided.

@shentao
Copy link
Member

shentao left a comment

Looks solid so far. I would also add a paragraph about using SSR that would lead to the SSR guide.

Edit: And here I am accidentally selecting approve instead of comment.

@chrisvfritz chrisvfritz force-pushed the chrisvfritz/security-guide branch from 9624193 to ae96a8e Aug 22, 2018

@chrisvfritz

This comment has been minimized.

Copy link
Member Author

chrisvfritz commented Aug 22, 2018

@shentao I decided to leave out SSR (at least for now), since most people aren't using it and we already cover security concerns specific to SSR throughout the SSR docs rather than consolidated on a single page.

@shentao

This comment has been minimized.

Copy link
Member

shentao commented Aug 22, 2018

What about a short "tip" like this:

Building Server-Side Rendered Applications, requires additional care to make the application secure. Please visit the ssr.vuejs.org to learn how to avoid common issues and vulnerabilities.

@chrisvfritz chrisvfritz force-pushed the chrisvfritz/security-guide branch from ae96a8e to 4d97f52 Aug 22, 2018

@chrisvfritz

This comment has been minimized.

Copy link
Member Author

chrisvfritz commented Aug 22, 2018

@shentao I just added a note at the end. What do you think?

@chrisvfritz chrisvfritz force-pushed the chrisvfritz/security-guide branch from 5f612db to 4efd9fd Aug 22, 2018

@shentao

This comment has been minimized.

Copy link
Member

shentao commented Aug 22, 2018

Perfect! Couldn’t write it better myself. 👍

@bwokich

This comment has been minimized.

Copy link

bwokich commented Aug 22, 2018

Thank you gentelemen! We really appreciate this!

@dandoyon

This comment has been minimized.

Copy link

dandoyon commented Aug 22, 2018

Hi this is Dan Doyon from Doctor On Demand, thanks so much for starting the security guide. Being in the business of health care we need to ensure all our products are safe. We are very much looking forward to migrating from AngularJS 1.x to Vue.

@chrisvfritz chrisvfritz requested a review from yyx990803 Aug 24, 2018

@chrisvfritz chrisvfritz changed the title [WIP] Security guide Security guide Aug 24, 2018


```html
<style>{{ userProvidedStyles }}</style>
```

This comment has been minimized.

Copy link
@yyx990803

yyx990803 Aug 26, 2018

Member

Should note here that Vue will refuse to render <style> tags inside templates.

@yyx990803

This comment has been minimized.

Copy link
Member

yyx990803 commented Aug 26, 2018

Looks great. There's one thing I would add: sometimes we receive vulnerability reports on how it's possible to do XSS in Vue templates - and we in general do not consider such cases actual vulnerabilities, because there are two possible cases for this to actual lead to a breach:

  1. The dev is explicitly asking Vue to render user-provided, unsanitized content as Vue templates. This is inherently unsafe and it's impractical for Vue to protect you from that.

  2. You are mounting Vue to an entire HTML page which happens to contain server-rendered & user-provided content. This is actually fundamentally the same with (1), but sometimes devs may do it without realizing it. This can lead to possible vulnerabilities where the attacker provides HTML which is safe as plain HTML but unsafe as a Vue template. The best practice is to never mount Vue on nodes that may contain server-rendered & user-provided content.

@sdras

This comment has been minimized.

Copy link
Member

sdras commented Apr 8, 2019

Hey @chrisvfritz! If you have time, could you please let me know where this one is at? I also wouldn't mind finishing it up for you if you're busy. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.