It doesn't get much clearer than a flag that says 'stop-executing-scripts-added-via-parser-based-JS-apis'.
So for Angular, just don't implement ASTInterpreter or require nonces/hashes for expressions.
-
-
If they hadn't implemented it, authors wouldn't have been able to use CSP. How is this different?
-
I don't think ng-csp did any "harm" to users. On the contrary, it allowed authors to adopt (a version of) CSP.
-
Yeah, and this mentality of bypassing security mechanisms also gave us template injections.
-
What? That makes no sense :-). Template Injections existed before ng-csp.
-
It's just an example of how the approach of "let's make it work despite security restrictions" is harmful.
-
Which brings us back to the point that bypassing security for "convenience" is an anti-pattern and must die.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.