Skip to content
This repository has been archived by the owner on May 29, 2019. It is now read-only.

Accordion: href="javascript:void(0);" Content Security Policy (CSP) Error #3904

Closed
roomond opened this issue Jul 7, 2015 · 6 comments
Closed

Comments

@roomond
Copy link
Contributor

roomond commented Jul 7, 2015

PR #2869 introduced an empty href attribute to enable keyboard accessibility for toggling accordion groups. This introduced a page refresh issue which was fixed by #3299. The fix for this was introducing a noop via javascript.void(0) to the href attribute. The result of this change is that it breaks the CSP rules such as our use case where we've disabled all inline javascript execution. This needs an alternative workaround that doesn't rely on having an inline script for the empty href attribute.

Please see https://developer.mozilla.org/en-US/docs/Web/Security/CSP for a quick introduction to CSP.

@realityking
Copy link
Contributor

CSP compatability would be a great goal for UI Bootstrap. It's certainly a lot of work, but it's great if libraries don't stand in the way of hardening web sites.

@wesleycho
Copy link
Contributor

Is there any other problems as far as CSP is concerned inside UI Bootstrap other than the improper href usage?

@wesleycho wesleycho added this to the 0.13.1 (Performance) milestone Jul 7, 2015
@realityking
Copy link
Contributor

The other - and probably more difficult one - would be inline styles.

@wesleycho
Copy link
Contributor

Is ng-style still considered ok?

@realityking
Copy link
Contributor

TBH, I don't know. Without unsafe-inline, the style attribute is disallowed but CSSOM is allowed. My hunch is that it would work, but it should be tested. That said, the JS issue is much more interesting, as the security benefit is larger.

@wesleycho
Copy link
Contributor

I have opened a new ticket for the broader CSP question at #3911.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants