Refine csp checks for unsafeEval.
#11933
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project, in which case you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed, please reply here (e.g.
|
| active = false; | ||
| } | ||
| return (unsafeEval.isActive_ = active); | ||
| }; |
There was a problem hiding this comment.
Having unsafeEval split out of csp may make it chatty in the console. I can add guards to it if you all would like.
|
Corporate CLA: Microsoft. |
| } catch (e) { | ||
| active = true; | ||
| } | ||
| active = !unsafeEval(); |
There was a problem hiding this comment.
this whole bit could be changed to
active = active || !unsafeEval();
|
Any other concerns or issues? |
|
@jdalton can you please explain how this improves anything on Windows? It looks like you are trying to force non-csp mode even when developer opts in to it, which changes the semantics of the opt-in. What's the real world scenario you are trying to fix? |
|
@IgorMinar Currently the csp check in Angular assumes that csp means unsafe eval is not allowed, however in Windows 10 WWA the default csp policy allows unsafe eval.
The benefit is to give a perf boost out of the box for those using Angular in WWAs. |
|
The only side effect of opting into the CSP mode is that we don't use function constructor. So just by not opt-ing into the CSP mode you get the perf benefit you are looking for. As far as I can tell the only impact of your change is that if someone explicitly opts into the CSP mode via ng-csp directive, we will ignore it and still use function constructor in |
|
There is one more place where csp mode plays any role and that's when including the default stylesheet. I assume that on WWA this would throw, in which case you'd want to prevent that via ng-csp, which then forces you down the slow path in $parse. Is that the case? |
It's not ignoring CSP, it's using
I don't think there's an issue with local stylesheets. How is it loading the default stylesheet? Inline scripts are still not allowed by the Win 10 WWA default csp policy. |
|
We prepend an inline stylesheet to the head while booting, unless ng-csp is found in the doc. |
|
unsafe-inline is allowed by the Win 10 default WWA CSP policy too. |
|
In that case then just don't use |
|
Sorry, slipped on the wrong button there |
|
if for whatever reason we need $sniffer.csp to distinguish between unsafe-inline and unsafe-eval, it would be preferable to remove the need to inline the stylesheet (and instead use https://developer.mozilla.org/en-US/docs/Web/API/CSSStyleSheet/insertRule to add the default styles to the document). afterwards ng-csp would only control if we attempt to autodetect unsafe-eval or not. the primary reason for ng-csp was to avoid autodetection which relies on throwing exceptions which is not nice and interferes with debugging. but from what you described, you actually don't need to change angular in order to get your performance benefit. |
Outside of default CSP policies devs can provide their own CSP policies in apps or sites that while they may restrict inline stylesheets can allow |
|
I think we can fix this in a cleaner way. Either we remove the inline stylesheet from Angular (using <html ng-csp-inline-style ng-csp-unsafe-eval>or <html ng-csp="inline-style;unsafe-eval">The first option is preferable to us as it means that we don't have to worry about people tweaking their CSP config in subtle ways that we don't support. |
|
Closing for now. @jdalton if you would like to progress this along the lines of one of the above solutions, then please open a new PR. I would suggest trying to fix it by removing our dependency on inline styles first. |
|
@petebacondarwin I can dig it. Update: |
|
Ping @petebacondarwin. If the style issue can't be resolved then I think this PR still has merit. |
|
Ping again. I'd like to continue this discussion since there doesn't seem like there's a way to avoid the css csp restriction. |
|
@jdalton sorry about that - got a bit distracted by AngularU. Can we continue this next week? I am flying back to the UK tomorrow. |
Sure thing |
|
To be honest, I haven't really understood the aim of this PR. From what I read here, WWAs have a default CSP policy which includes both Slightly off topic: The best solution would be if browsers exposed the current security policy. This was once specified but for some reason it's absent from newer drafts. |
|
@realityking See #11933 (comment).
Yep. Having CSP restrictions is fine or getting rid of the directives ( |
|
So the deal is that Angular does two things that can be locked down by CSP:
Currently if you don't specify the @jdalton would like to refine this so that we can lock down only one or the other of these two things. The SHA idea would mean that we don't need to lock down the inline styles issue, which means that Angular only need to lock down the unsafe eval, which could be done with If this doesn't work then we should make I would like to test the SHA approach on the browsers that we support before going with the second option. It is worth noting that the hash based approach is part of the W3C Editor's Draft https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-valid-hashes |
|
A final option that I would consider is to simply have the option of a custom build that would exclude restricted aspects. I believe that @IgorMinar has generally been against this idea. |
|
Yeah the custom build for the CSS was something I submitted way back: #8459 From the other options, I think I prefer this one: |
|
I think it would be more intuitive if it was: <html ng-csp-no-inline-style ng-csp-no-unsafe-eval> |
|
Here is another idea: How about we use the fact that CSP rules can be defined as meta tags in the HTML. Angular will parse the meta tags for CSP rules and work out whether it is allowed to do inline-style and/or unsafe-eval. This may require rules to be duplicated, both on the server and in the HTML but is not requiring specialised |
|
:-( I did some testing and indeed the SHA CSP header for styles doesn't work on Safari 8.0.7 So this is not a viable strategy. Although I think it was a nice idea. |
|
Ok, so for the unsafe eval side of things is there anything else to do/tweak? |
|
We need to have a configurable
I would like to use the last one because, a) it doesn't require multiple build files, b) it is a standard way of specifying CSP directives anyway, and so would make sense to someone reading the HTML who doesn't know about angular. What do people think? |
|
After a discussion with @btford I am going to knock up a PR with the 4th idea |
|
Actually, I began to implement that and found that there are so many potential combinations of directive rules that we would need to be able to parse it added far too much code. Instead, I am going to go with the following: You can choose from the following declarations in your application: No declaration means that Angular will assume that you can do inline styles, but it will do a runtime check for unsafe-eval. [This is the same as we have currently] A simple Providing a value of Providing a value of |
|
@petebacondarwin what would happen if tomorrow there is another CSP parameter we would like it to be configurable? Are we going to keep on adding things to the |
|
We only care about CSP rules that we actively break inside core, which are doing eval and injecting inline styles. If we started doing something else in core, which would break a CSP rule then we would need to add an option to deactivate that code if the application developer wanted to have that rule turned on. In the scenario described above That being said I am wondering whether the rules should be the other way around, i.e. the two options would be:
Then you would have the following options for No declaration means that Angular will assume that you can do inline styles, but it will do a runtime check for unsafe-eval. [This is the same as we have currently] A simple ng-csp (or data-ng-csp) attribute will tell Angular not to do either the inline styles or the unsafe eval. [This is the same as we have currently] This tells Angular that we must not use eval, but that we can inject inline styles. This tells Angular that we must not inject styles, but that we can run eval. This tells Angular that we must not inject styles nor use eval, which is the same as an empty: If we add a new feature to Angular that potentially breaks a CSP rule then we would add a switch to turn it off. |
|
@petebacondarwin This sounds reasonable to me. I'll close this one in favor of your PR. |
|
Thanks. I will have it ready in a few hours - just going through the tests and docs |
There are two different features in Angular that can break CSP rules: use of `eval` to execute a string as JavaScript and dynamic injection of CSS style rules into the DOM. This change allows us to configure which of these features should be turned off to allow a more fine grained set of CSP rules to be supported. Closes angular#11933 Closes angular#8459
|
Thanks, will check it out |
There are two different features in Angular that can break CSP rules: use of `eval` to execute a string as JavaScript and dynamic injection of CSS style rules into the DOM. This change allows us to configure which of these features should be turned off to allow a more fine grained set of CSP rules to be supported. Closes angular#11933 Closes angular#8459
There are two different features in Angular that can break CSP rules: use of `eval` to execute a string as JavaScript and dynamic injection of CSS style rules into the DOM. This change allows us to configure which of these features should be turned off to allow a more fine grained set of CSP rules to be supported. Closes angular#11933 Closes angular#8459
There are two different features in Angular that can break CSP rules: use of `eval` to execute a string as JavaScript and dynamic injection of CSS style rules into the DOM. This change allows us to configure which of these features should be turned off to allow a more fine grained set of CSP rules to be supported. Closes #11933 Closes #8459 Closes #12346
There are two different features in Angular that can break CSP rules: use of `eval` to execute a string as JavaScript and dynamic injection of CSS style rules into the DOM. This change allows us to configure which of these features should be turned off to allow a more fine grained set of CSP rules to be supported. Closes angular#11933 Closes angular#8459 Closes angular#12346
There are two different features in Angular that can break CSP rules: use of `eval` to execute a string as JavaScript and dynamic injection of CSS style rules into the DOM. This change allows us to configure which of these features should be turned off to allow a more fine grained set of CSP rules to be supported. Closes angular#11933 Closes angular#8459 Closes angular#12346
This PR refines the csp checks for function compilation because the default policy in WWA (Windows Web Apps) allows
unsafe-eval. This would give a ~30% boost when evaluating expressions.