OK, and how would you have done ng-csp differently?
-
-
I'll bite: if your JS FW bypasses platform restrictions you either fail closed or reimplement them yourself.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
So for Angular, just don't implement ASTInterpreter or require nonces/hashes for expressions.
1 reply 0 retweets 0 likes -
If they hadn't implemented it, authors wouldn't have been able to use CSP. How is this different?
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
I don't think ng-csp did any "harm" to users. On the contrary, it allowed authors to adopt (a version of) CSP.
3 replies 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
They had to bypass unsafe-eval for the sake of increasing CSP adoption. How come ng-csp is the villain here?
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
because they chose to build their own interpreter instead of compiling to JS server-side?
1 reply 0 retweets 0 likes -
Replying to @tehjh @arturjanc and
How would server side compilation work for Angular? (a client side framework)
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
aren't the expressions supposed to be static?
2 replies 0 retweets 1 like -
Replying to @tehjh @sirdarckcat and
I don't mean "compile to static HTML", I just mean "compile expressions to JS"
2 replies 0 retweets 1 like
maybe at build time, find the double-curlies and ng attrs and replace them with proper JS
-
-
Replying to @tehjh @arturjanc and
Ah! Yes, that's how it works for Angular2. But it was too late for Angular1.
2 replies 0 retweets 0 likes -
Replying to @sirdarckcat @tehjh and
Maybe it's not too late… maybe they would be interested to do this?
@IgorMinar1 reply 0 retweets 0 likes - 14 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.