ngSanitize triggers CSP alert/report in Firefox #16463
Comments
|
@thesam do you have any suggestion for how we could test for this FF bug (which is a security vulnerability) without the inline |
|
If I understand correctly this is how it works right now:
Maybe it could be done like this instead?
This way, the Firefox CSP alert will not be triggered if DOMParser is available. I guess this would mean that most browsers would use DOMParser instead of InertDocument. Are there any negative side effects of using DOMParser instead of InertDocument? |
|
I think I remember that inert document approach is faster and more secure, so I would be wary of changing it like this. But... perhaps we could change it to this approach if |
|
This now also triggers an error in Chrome. |
I went through the details I could find on this:
It doesn't seem that the inline Also the related unit test description is "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", and none of the related discussions really mention the style tag. The bug is more related to the HTML structure than the actual tags if I understood correctly (though some tags like Now that Angular.js is in Long Term Support, would it still be worthwhile to fix this? I guess this doesn't really count as a "security flaw". |
|
I would argue that it does count as a security flaw because now my only course of action is to effectively cripple my content security policy by adding 'unsafe-inline' |
…ection Inserting a `style` tag causes a CSP violation when using a strict CSP that doesn't allow inline styles. The `style` tag doesn't seem relevant for the Firefox bug detection, and can be replaced with a `span`, see issue angular#16463 for more details. The related unit test in `sanitizeSpec.js`, "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", is left untouched and still uses `style` to assert that the behavior hasn't changed in the original scenario. Fixes angular#16463.
|
Thanks for your input @crhistianramirez, I went ahead and created a pull request, let's see how it goes. 🙂 |
…ection Default to using DOMParser if it is available and fall back to createHTMLDocument if needed. This is the approach suggested in the related pull request angular#17013 and used by DOMPurify too. It also safely avoids using an inline style tag that causes CSP violation errors if inline CSS is prohibited. The related unit tests in `sanitizeSpec.js`, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios. Fixes angular#16463.
|
Any plans to take this off of the |
If `ngSanitize` is added as a module dependency and a Content-Security-Policy is set that does not allow inline styles then Firefox and Chrome show the following message: > Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent. This message is caused because AngularJS is creating an inline style tag to test for a browser bug that we use to decide what sanitization strategy to use, which causes CSP violation errors if inline CSS is prohibited. This test is no longer necessary, since the `DOMParser` is now safe to use and the `style` based check is redundant. In this fix, we default to using `DOMParser` if it is available and fall back to `createHTMLDocument()` if needed. This is the approach used by DOMPurify too. The related unit tests in `sanitizeSpec.js`, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios. Fixes #16463.
I'm submitting a ...
Current behavior:
If ngSanitize is added as a module dependency and a Content-Security-Policy is set that does not allow inline styles then Firefox shows the following message:
Our CSP looks like this:
If ngSanitize is removed from the module dependencies then the CSP message disappears as well.
Expected / new behavior:
ngSanitize should work in Firefox without triggering CSP alerts, at least if the "ng-csp" mode is enabled.
Minimal reproduction of the problem with instructions:
AngularJS version: 1.6.9
Browser: Firefox 60.0a1 and 59.0b10
Anything else:
I guess the following code triggers the CSP alert, since it adds an inline <style> tag.
// Check for the Firefox bug - which prevents the inner img JS from being sanitized inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';From: https://github.com/angular/angular.js/blob/master/src/ngSanitize/sanitize.js
Line 443-444
The text was updated successfully, but these errors were encountered: