that innerHTML does not execute scripts is against the principle of least surprise.
If convenience damages security and developer explicitly chose security, libraries need to conform. Simple.
-
-
I was thinking more about the default behavior. But if security is inconvenient, no one will adopt it.
-
FWs will want to *work* when developers "turn on" security features. So they will work around them. Simple.
-
And if they do they will be wrong, and detrimental to user security. Luckily it's a fixable problem.
-
is ng-csp detrimental to user security?
-
Yes, the Angular security model based on bypassing platform security features (via {{ }} and AST*) is wrong
-
... and is the source of countless vulnerabilities we otherwise wouldn't have. We can't let it happen again.
-
Also, saying that hardening APIs is bad because "frameworks can work around it" is incredibly short-sighted.
-
I am not saying that at all. Just saying we need to take this into account to not get it wrong.
- 12 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.