cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
angular/packages
History
Harri Lehtola b0b7248504 fix(core): do not trigger CSP alert/report in Firefox and Chrome (#36578) (#37783) 
If [innerHTML] is used in a component and a Content-Security-Policy is set
that does not allow inline styles then Firefox and Chrome show the following
message:

> Content Security Policy: The page’s settings observed the loading of a
resource at self (“default-src”). A CSP report is being sent.

This message is caused because Angular is creating an inline style tag to
test for a browser bug that we use to decide what sanitization strategy to
use, which causes CSP violation errors if inline CSS is prohibited.

This test is no longer necessary, since the `DOMParser` is now safe to use
and the `style` based check is redundant.

In this fix, we default to using `DOMParser` if it is available and fall back
to `createHTMLDocument()` if needed. This is the approach used by DOMPurify
too.

The related unit tests in `html_sanitizer_spec.ts`, "should not allow
JavaScript execution when creating inert document" and "should not allow
JavaScript hidden in badly formed HTML to get through sanitization (Firefox
bug)", are left untouched to assert that the behavior hasn't changed in
those scenarios.

Fixes #25214.

PR Close #37783
2020-06-29 10:27:38 -07:00
..
animations
Revert "build: remove wombot proxy registry from package.jsons for release (#37378)" (#37495)
2020-06-10 08:21:46 -07:00
bazel
feat(bazel): expose explicit mapping from closure to devmode files (#36262)
2020-06-15 09:35:35 -07:00
benchpress
build: add wombot proxy for publish config for @angular/benchpress (#37752)
2020-06-25 17:08:19 -07:00
common
fix(http): avoid abort a request when fetch operation is completed (#37367)
2020-06-25 12:09:40 -07:00
compiler
refactor(compiler): remove extra imports (#37246)
2020-06-11 19:00:34 -07:00
compiler-cli
refactor(compiler-cli): Remove any cast for CompilerHost (#37079)
2020-06-26 11:08:18 -07:00
core
fix(core): do not trigger CSP alert/report in Firefox and Chrome (#36578) (#37783)
2020-06-29 10:27:38 -07:00
docs
docs(di): fix typo in advanced di doc (#36634)
2020-05-01 09:50:28 -07:00
elements
refactor(elements): add accessor workaround for build-optimizer (#37456)
2020-06-11 12:05:35 -07:00
examples
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00
forms
fix(forms): correct usage of selectedOptions (#37620)
2020-06-25 12:08:01 -07:00
language-service
fix(language-service): incorrect autocomplete results on unknown symbol (#37518)
2020-06-26 14:51:33 -07:00
localize
Revert "build: remove wombot proxy registry from package.jsons for release (#37378)" (#37495)
2020-06-10 08:21:46 -07:00
platform-browser
docs: update api ref doc for platform browser (#37186)
2020-06-11 18:59:12 -07:00
platform-browser-dynamic
Revert "build: remove wombot proxy registry from package.jsons for release (#37378)" (#37495)
2020-06-10 08:21:46 -07:00
platform-server
Revert "feat(platform-server): use absolute URLs from Location for HTTP (#37071)" (#37547)
2020-06-12 15:09:58 -07:00
platform-webworker
Revert "build: remove wombot proxy registry from package.jsons for release (#37378)" (#37495)
2020-06-10 08:21:46 -07:00
platform-webworker-dynamic
Revert "build: remove wombot proxy registry from package.jsons for release (#37378)" (#37495)
2020-06-10 08:21:46 -07:00
private/testing
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00
router
build: move shims_for_IE to third_party directory (#37624)
2020-06-26 11:09:02 -07:00
service-worker
docs(service-worker): update default value of SwRegistrationOptions#registrationStrategy (#37555)
2020-06-15 09:48:56 -07:00
upgrade
Revert "build: remove wombot proxy registry from package.jsons for release (#37378)" (#37495)
2020-06-10 08:21:46 -07:00
zone.js
fix(zone.js): remove unused Promise overwritten setter logic (#36851)
2020-06-11 18:56:19 -07:00
BUILD.bazel
build: reference zone.js from source directly instead of npm. (#33046)
2019-11-06 00:48:34 +00:00
circular-deps-test.conf.js
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00
empty.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00
goog.d.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00
license-banner.txt
build: bump year (#34651)
2020-01-13 07:21:43 -08:00
README.md
docs: add doc reference to npm package readme (#33911)
2019-11-20 14:46:23 -08:00
system.d.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00
tsconfig-build-no-strict.json
refactor(core): ensure compatibility with typescript strict flag (#30993)
2019-07-18 14:21:25 -07:00
tsconfig-build.json
refactor(core): ensure compatibility with typescript strict flag (#30993)
2019-07-18 14:21:25 -07:00
tsconfig-test.json
refactor: fix typescript strict flag failures in all tests (#30993)
2019-07-18 14:21:26 -07:00
tsconfig.json
revert: "revert: "feat(dev-infra): exposed new rule 'component_benchmark' via dev_infra (#36434)" (#36798)" (#36800)
2020-06-03 13:12:31 -07:00
types.d.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:27:01 -04:00

README.md

Angular

The sources for this package are in the main Angular repo. Please file issues and pull requests against that repo.

Usage information and reference details can be found in Angular documentation.

License: MIT