FWIW >80% of policies have unsafe-eval so even without such bypasses it's bad. + there's JSONP
-
-
Replying to @arturjanc @darkcton and
also CDNs usually host multiple angular versions. So you can usually pick the oldest one.
2 replies 0 retweets 0 likes -
Replying to @slekies @arturjanc and
that is definitly true, I was more interested in projects that use angular and their security
1 reply 0 retweets 0 likes -
if I use angular, does CSP bring an advantage, if not why.
1 reply 0 retweets 0 likes -
Protects you from some DOM XSS (i.e. in directive code), but if you can {{}}, you're doomed.
1 reply 1 retweet 0 likes -
that is really sad to hear :( CSP is such a nice idea for improving security. any solutions?
1 reply 0 retweets 0 likes -
In Angular 2 there's no template injection possible, so CSP makes sense there.
2 replies 1 retweet 1 like -
So the solution is upgrading to angular 2.0 as soon as it is out of RC?
1 reply 0 retweets 0 likes -
ng2 + cap would work only if you use ahead of time ng2 compiler. Unlikely your devs will
2 replies 0 retweets 0 likes -
Replying to @kkotowicz @darkcton and
IMHO the point is that unlike in V1, AoT in V2 (http://blog.mgechev.com/2016/08/14/ahead-of-time-compilation-angular-offline-precompilation/ …) can prevent injection
1 reply 0 retweets 2 likes
So if you care enough you can make your project use it, and then have CSP help against DOM XSS
-
-
Replying to @arturjanc @kkotowicz and
good! As a matter of fact I do care enough even though upgrade to ng2 will take time! Thanks!
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.