if you want to strengthen CSP allow scripts in innerHTML and libraries will not implement insecure code for not surprising devs.
-
-
is ng-csp detrimental to user security?
-
Yes, the Angular security model based on bypassing platform security features (via {{ }} and AST*) is wrong
-
... and is the source of countless vulnerabilities we otherwise wouldn't have. We can't let it happen again.
-
Also, saying that hardening APIs is bad because "frameworks can work around it" is incredibly short-sighted.
-
I am not saying that at all. Just saying we need to take this into account to not get it wrong.
-
I can show you dozens of examples where the current behavior of innerHTML led to hacks in libraries.
-
every single one is a CSP bypass btw
-
Not really; it's incompatible with one particular way to do CSP ('strict-dynamic') and is easy to fix.
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.