I did not find a (working!) escape for angular 1.5.8 with csp mode enabled. Can you point me?
FWIW >80% of policies have unsafe-eval so even without such bypasses it's bad. + there's JSONP
-
-
also CDNs usually host multiple angular versions. So you can usually pick the oldest one.
-
that is definitly true, I was more interested in projects that use angular and their security
-
if I use angular, does CSP bring an advantage, if not why.
-
Protects you from some DOM XSS (i.e. in directive code), but if you can {{}}, you're doomed.
-
that is really sad to hear :( CSP is such a nice idea for improving security. any solutions?
-
In Angular 2 there's no template injection possible, so CSP makes sense there.
-
So the solution is upgrading to angular 2.0 as soon as it is out of RC?
- 4 more replies
New conversation -
-
-
yes, I know. I was not arguing against the conclusion, just interested in the details :)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.