Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upfix(core): do not trigger CSP alert/report in Firefox and Chrome #36578
+52
−110
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
The lint failures are in the file I changed but not in my changes, not sure if I should fix them. |
peruukki
force-pushed the
peruukki:sanitize-inert-remove-inline-style
branch
2 times, most recently
from
45cb61f
to
e2c69c2
koto
commented
Apr 16, 2020
|
As explained in angular/angular.js#17013 (comment), please don't change |
|
Thanks for the info and help, I'll try to get the fix right in Angular.js first and then come back to update this. |
peruukki
force-pushed the
peruukki:sanitize-inert-remove-inline-style
branch
from
e2c69c2
to
0d02499
peruukki
changed the title
|
I haven't heard back from the Angular.js pull request but updated this one anyway with a similar fix. The |
|
Also, like I mentioned in angular/angular.js#17013 (comment), we might want to make the DOMParser availability check stricter and verify that the HTML support version of |
peruukki
force-pushed the
peruukki:sanitize-inert-remove-inline-style
branch
from
0d02499
to
5ead6d3
peruukki
force-pushed the
peruukki:sanitize-inert-remove-inline-style
branch
from
5ead6d3
to
e48607b
|
I refactored the two strategies to separate classes and made the DOMParser availability check more accurate. |
|
CircleCI is indicating that this change makes the It wants you to update the following file and push up those changes for that test to pass: FAIL: Commit e48607b1e0767d70d51945b5a787d8362a5f26a7 uncompressed main-es2015 fell below expected size by 500 bytes or >1% (expected: 452060, actual: 451537).
If this is a desired change, please update the size limits in file '/home/circleci/ng/goldens/size-tracking/aio-payloads.json'. |
|
LGTM |
peruukki
force-pushed the
peruukki:sanitize-inert-remove-inline-style
branch
2 times, most recently
from
9615b65
to
f00ca94
|
lgtm now! thank you very much @peruukki! We are currently in a code freeze mode so no PRs are being merged until v10.0.0 is cut later this week. I expect this PR to be merged as soon as the code freeze is lifted after the release. |
) If [innerHTML] is used in a component and a Content-Security-Policy is set that does not allow inline styles then Firefox and Chrome show the following message: > Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent. This message is caused because Angular is creating an inline style tag to test for a browser bug that we use to decide what sanitization strategy to use, which causes CSP violation errors if inline CSS is prohibited. This test is no longer necessary, since the `DOMParser` is now safe to use and the `style` based check is redundant. In this fix, we default to using `DOMParser` if it is available and fall back to `createHTMLDocument()` if needed. This is the approach used by DOMPurify too. The related unit tests in `html_sanitizer_spec.ts`, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios. Fixes #25214.
The `inertDocument` member is only needed when using the InertDocument strategy. By separating the DOMParser and InertDocument strategies into separate classes, we can easily avoid creating the inert document unnecessarily when using DOMParser.
Verify that HTML parsing is supported in addition to DOMParser existence. This maybe wasn't as important before when DOMParser was used just as a fallback on Firefox, but now that DOMParser is the default choice, we need to be more accurate.
AndrewKushnir
force-pushed the
peruukki:sanitize-inert-remove-inline-style
branch
from
4287f92
to
2c8dfaa
|
Hi @@peruukki, FYI I rebased your PR on top of the latest master to make sure the payload size limits are still in the right range (since I merged a few more PRs). Once CI goes "green", this PR will be a part of the merge queue. Thank you. |
AndrewKushnir
added
PR target: master-only
and removed
PR target: master & patch
labels
AndrewKushnir
added a commit
that referenced
this pull request
Jun 26, 2020
AndrewKushnir
added a commit
that referenced
this pull request
Jun 26, 2020
AndrewKushnir
added a commit
that referenced
this pull request
Jun 26, 2020
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 26, 2020
…ular#36578) If [innerHTML] is used in a component and a Content-Security-Policy is set that does not allow inline styles then Firefox and Chrome show the following message: > Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent. This message is caused because Angular is creating an inline style tag to test for a browser bug that we use to decide what sanitization strategy to use, which causes CSP violation errors if inline CSS is prohibited. This test is no longer necessary, since the `DOMParser` is now safe to use and the `style` based check is redundant. In this fix, we default to using `DOMParser` if it is available and fall back to `createHTMLDocument()` if needed. This is the approach used by DOMPurify too. The related unit tests in `html_sanitizer_spec.ts`, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios. Fixes angular#25214.
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 26, 2020
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 26, 2020
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 26, 2020
The changes in angular#36687 removed enough code to exceed the CI check limits, so the expected main-es2015 size needs adjusting.
AndrewKushnir
added a commit
to AndrewKushnir/angular
that referenced
this pull request
Jun 26, 2020
This commit updates the payload size limit for the `hello_world` test app built using Closure. This is likely an effect of the changes in angular#36578 (that reduces the bundle size for most of the apps) and additional changes in subsequent commits.
AndrewKushnir
added a commit
to AndrewKushnir/angular
that referenced
this pull request
Jun 26, 2020
This commit updates the payload size limit for the `hello_world` test app built using Closure. This is likely an effect of the changes in angular#36578 (that reduces the bundle size for most of the apps) and additional changes in subsequent commits.
AndrewKushnir
added a commit
that referenced
this pull request
Jun 26, 2020
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 27, 2020
…ular#36578) If [innerHTML] is used in a component and a Content-Security-Policy is set that does not allow inline styles then Firefox and Chrome show the following message: > Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent. This message is caused because Angular is creating an inline style tag to test for a browser bug that we use to decide what sanitization strategy to use, which causes CSP violation errors if inline CSS is prohibited. This test is no longer necessary, since the `DOMParser` is now safe to use and the `style` based check is redundant. In this fix, we default to using `DOMParser` if it is available and fall back to `createHTMLDocument()` if needed. This is the approach used by DOMPurify too. The related unit tests in `html_sanitizer_spec.ts`, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios. Fixes angular#25214.
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 27, 2020
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 27, 2020
IgorMinar
added a commit
to IgorMinar/angular
that referenced
this pull request
Jun 27, 2020
The changes in angular#36687 removed enough code to exceed the CI check limits, so the expected main-es2015 size needs adjusting.
|
I cherry-picked this change in the 10.0.x branch as #37783 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
peruukki commentedApr 11, 2020
•
edited
Default to using DOMParser if it is available and fall back to createDocument if needed. This is the approach used by DOMPurify and suggested in the related Angular.js pull request angular/angular.js#17013. It also safely avoids using an inline style tag that causes CSP violation errors if inline CSS is prohibited.
The related unit tests in
html_sanitizer_spec.ts, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios.Fixes #25214.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
If [innerHTML] is used in a component and the Content-Security-Policy does not allow inline styles, a CSP violation will be reported by at least Firefox and Chrome.
Issue Number: #25214
What is the new behavior?
No CSP violation is reported.
Does this PR introduce a breaking change?
Other information
Like mentioned above, there is an existing unit test related to this change that tests that badly-formatted HTML is sanitized properly, and I didn't change the test because the behavior shouldn't have changed on that regard. I don't think there is a convenient way to test CSP violations, so I didn't write any new tests.
This is my first contribution attempt for Angular.😃