And if they do they will be wrong, and detrimental to user security. Luckily it's a fixable problem.
-
-
is ng-csp detrimental to user security?
1 reply 0 retweets 0 likes -
Yes, the Angular security model based on bypassing platform security features (via {{ }} and AST*) is wrong
2 replies 0 retweets 1 like -
OK, and how would you have done ng-csp differently?
1 reply 0 retweets 0 likes -
I'll bite: if your JS FW bypasses platform restrictions you either fail closed or reimplement them yourself.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
So for Angular, just don't implement ASTInterpreter or require nonces/hashes for expressions.
1 reply 0 retweets 0 likes -
If they hadn't implemented it, authors wouldn't have been able to use CSP. How is this different?
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
I don't think ng-csp did any "harm" to users. On the contrary, it allowed authors to adopt (a version of) CSP.
3 replies 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
am I missing something here? ng-csp broke CSP, and it broke it even for websites without Angular
1 reply 0 retweets 1 like -
-
-
Replying to @tehjh @arturjanc and
Agreed. Angular was one of the libraries that killed CSP whitelists (not the only one but one of them)
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.