fix(csp): fix autodetection of CSP + better docs #8191
Conversation
|
Thanks for the PR! Please check the items below to help us merge this faster. See the contributing docs for more information.
If you need to make changes to your pull request, you can update the commit with Thanks again for your help! |
|
@caitp please review |
| @@ -921,12 +921,26 @@ function equals(o1, o2) { | |||
| return false; | |||
| } | |||
|
|
|||
| var csp = { | |||
| isActive_: undefined, | |||
There was a problem hiding this comment.
nit: whitespace is a bit awkward here
|
looks generally good, just double checking the docs. |
| @@ -11,8 +11,10 @@ | |||
| * This is necessary when developing things like Google Chrome Extensions. | |||
| * | |||
| * CSP forbids apps to use `eval` or `Function(string)` generated functions (among other things). | |||
There was a problem hiding this comment.
the trouble with this is that we're making an assumption that eval is disabled --- which it isn't necessarily (unsafe-eval). I expect this will be fine for most users, but it's not entirely accurate. I guess we need to wait until there is a better way to get this information (before changing that)
There was a problem hiding this comment.
if unsafe-eval is enabled then we will be able to use our generated getters which means that we'll possibly display an error due to the stylesheet, but that's not a big deal.
|
Okay, looks good with nits --- fixing the nits will keep the api strictly compatible with the previous implementation, but it's a private API so I don't care a whole lot. It's up to you. |
|
unit tests are broken. fixing that now. |
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes #8162 Closes #8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
Manually enable Angular CSP mode as auto-detection triggers a harmless, though nonetheless annoying CSP error. CSP detection has also proved to be brittle. Override Angular's Bower main block to include `angular-csp.css` so that Wiredep can inject it for us. See: angular/angular.js#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is
active without triggering a CSP error:
w3c/webappsec@1888295
Now we use
new Function('')to detect if CSP is on. To prevent error from thisdetection to show up in console developers have to use the ngCsp directive.
(This problem became more severe after our recent removal of
simpleGetterFnwhich made us depend on function constructor for all expressions.)
Closes #8162