CSP auto detection not working in 1.3.0-beta 15 and Packaged Chrome App? #8162
Comments
|
The minified stacktrace isn't spectacularly useful here, but there have been known problems with csp autodetection for a while now. I would be surprised if the root cause of the problem is actually the version of angular (since there's nothing in beta 15 which should break CSP), but more likely the version of chrome/android webview being tested against. As a workaround, don't depend on csp autodetection, use the ng-csp directive instead. There are similar issues to this which have been opened over the past few months, and the fact is, CSP is sort of an emerging standard, vendors are still sorting out how it should work, and changes are happening. Certain code-paths are chosen in angular based on whether we think we need to make CSP happy, so the suggestion is to not depend on autodetection, and just "force" CSP mode for packaged apps instead. Note, this is my own personal opinion, and isn't necessarily party-line. I think it will do what you need it to do, for the most part, though. |
|
Of course I can (and will) force CSP from now, I think that I can spare |
|
That would be helpful, but yes, there have been issues with auto-detection of CSP for quite some time now, especially with more recent versions of Chrome. There have been some changes to $parse lately, so it's possible that one of those getter paths that was removed was avoiding the unsafe path which is taken when csp isn't detected --- but that would mean CSP mode was broken before anyways, and you just happened to be getting lucky and taking a "safe" path. This is entirely possible, and perhaps likely. We might need to revert 5f6b378 or find a better way around that instead. |
|
Here is the uncompressed stack trace. Chrome version is 35.0.1916.153 m (stable channel). Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
angular.js:11195
getterFn angular.js:11195
Lexer.readIdent angular.js:10583
Lexer.lex angular.js:10426
Parser.parse angular.js:10674
(anonymous function) angular.js:11292
compile angular.js:20294
applyDirectivesToNode angular.js:6580
compileNodes angular.js:6141
compileNodes angular.js:6153
compileNodes angular.js:6153
compileNodes angular.js:6153
compile angular.js:6081
(anonymous function) angular.js:1505
Scope.$eval angular.js:12769
Scope.$apply angular.js:12867
(anonymous function) angular.js:1503
invoke angular.js:4062
doBootstrap angular.js:1501
bootstrap angular.js:1515
angularInit angular.js:1427
(anonymous function) angular.js:23152
trigger angular.js:2656
(anonymous function) angular.js:2929
forEach angular.js:327
eventHandler angular.js:2928
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:".
at Window.Function (native)
at getterFn (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:11195:34)
at Lexer.readIdent (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:10583:30)
at Lexer.lex (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:10426:26)
at Parser.parse (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:10674:38)
at chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:11292:51
at Object.compile (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:20294:34)
at applyDirectivesToNode (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:6580:52)
at compileNodes (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:6141:31)
at compileNodes (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:6153:31) <button ng-click="doFirmwareCheck()"> angular.js:10264
(anonymous function) angular.js:10264
(anonymous function) angular.js:7506
applyDirectivesToNode angular.js:6587
compileNodes angular.js:6141
compileNodes angular.js:6153
compileNodes angular.js:6153
compileNodes angular.js:6153
compile angular.js:6081
(anonymous function) angular.js:1505
Scope.$eval angular.js:12769
Scope.$apply angular.js:12867
(anonymous function) angular.js:1503
invoke angular.js:4062
doBootstrap angular.js:1501
bootstrap angular.js:1515
angularInit angular.js:1427
(anonymous function) angular.js:23152
trigger angular.js:2656
(anonymous function) angular.js:2929
forEach angular.js:327
eventHandler angular.js:2928
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
angular.js:11195
getterFn angular.js:11195
Lexer.readIdent angular.js:10583
Lexer.lex angular.js:10426
Parser.parse angular.js:10674
(anonymous function) angular.js:11292
$interpolate angular.js:8923
addTextInterpolateDirective angular.js:7071
collectDirectives angular.js:6307
compileNodes angular.js:6137
compileNodes angular.js:6153
compileNodes angular.js:6153
compileNodes angular.js:6153
compileNodes angular.js:6153
compileNodes angular.js:6153
compile angular.js:6081
(anonymous function) angular.js:1505
Scope.$eval angular.js:12769
Scope.$apply angular.js:12867
(anonymous function) angular.js:1503
invoke angular.js:4062
doBootstrap angular.js:1501
bootstrap angular.js:1515
angularInit angular.js:1427
(anonymous function) angular.js:23152
trigger angular.js:2656
(anonymous function) angular.js:2929
forEach angular.js:327
eventHandler angular.js:2928
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:".
at Window.Function (native)
at getterFn (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:11195:34)
at Lexer.readIdent (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:10583:30)
at Lexer.lex (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:10426:26)
at Parser.parse (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:10674:38)
at chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:11292:51
at $interpolate (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:8923:39)
at addTextInterpolateDirective (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:7071:41)
at collectDirectives (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:6307:29)
at compileNodes (chrome-extension://jeecijlolcehjchhmbdccimkbhhibjdm/libs/angular.js:6137:38) angular.js:10264
(anonymous function) angular.js:10264
(anonymous function) angular.js:7506
Scope.$apply angular.js:12869
(anonymous function) angular.js:1503
invoke angular.js:4062
doBootstrap angular.js:1501
bootstrap angular.js:1515
angularInit angular.js:1427
(anonymous function) angular.js:23152
trigger angular.js:2656
(anonymous function) angular.js:2929
forEach angular.js:327
eventHandler angular.js:2928 |
|
Yeah, so that would be the fault of 5f6b378. Note, you'd still have problems in beta 14 (because CSP detection has been broken in chrome for ages), depending on the expression being evaluated, but in beta 14, we "happened" to have a fast path when a small number of keys was used, which didn't rely on creating a new Function object. /CC @rodyhaddad |
|
Ok, thanks. As said I will be forcing CSP anyway. |
|
@caitp CSP detection is broken in chrome? Has this been reported? 😕 Hm, a bit of googling doesn't show /CC @IgorMinar |
|
@rodyhaddad what I mean is that our way of detecting CSP has not worked for Chrome for quite a few versions (of chrome) now (there have been quite a few issues reported about this on angular). |
|
Our way of detecting CSP uses api specifically requested by us. I'm not aware of the CSP spec changing in any way that would brake this. We need to investigate this. |
|
Both #7391, and #6707 have had issues with auto-detection of CSP mode in modern Chrome browsers, I recall there have been others too. I did some research into this a few months ago and it seemed at the time like our use of the API has been broken for a while now. But just using ng-csp as a workaround has been a good enough work around that it hasn't bothered most people I guess. |
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162
|
I created a PR with a fix for this: #8191 |
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes #8162 Closes #8191
CSP spec got changed and it is no longer possible to autodetect if a policy is active without triggering a CSP error: w3c/webappsec@1888295 Now we use `new Function('')` to detect if CSP is on. To prevent error from this detection to show up in console developers have to use the ngCsp directive. (This problem became more severe after our recent removal of `simpleGetterFn` which made us depend on function constructor for all expressions.) Closes angular#8162 Closes angular#8191
Hello,
I was playing with 1.3.0 in a Packaged Chrome App, and everything was working fine. Overwriting beta14 with beta15 gave me those errors, that went away when I added ng-csp to . Is this intended?:
The text was updated successfully, but these errors were encountered: