FortAwesome / angular-fontawesome

Official Angular component for Font Awesome 5+
https://fontawesome.com
MIT License
1.48k stars 150 forks source link

Feature request: Trusted Types support #415

Open jkubiszewski opened 1 year ago

jkubiszewski commented 1 year ago

Describe the problem you'd like to see solved or task you'd like to see made easier

I'm trying to use a CSP rule with trusted-types and I have an error that I'm not able to fix with angular-fontawesome.

image

What is 1 thing that we can do when building this feature that will guarantee that it is awesome?

angular-fontawesome should support for the Trusted Types API so that it can be seamlessly integrated into applications that enforce trusted types for all DOM XSS injection sinks (such as innerHTML setters) via the require-trusted-types-for CSP directive. Trusted Types are now fully supported in major browsers such as Chrome and Edge.

Why would other angular-fontawesome users care about this?

To effectively defend against XSS attacks.

On a scale of 1 (sometime in the future) to 10 (absolutely right now), how soon would you recommend we make this feature?

8

devoto13 commented 1 year ago

I think setting policy to angular#unsafe-bypass per https://angular.io/guide/security#enforcing-trusted-types should work as we use Angular to set innerHTML. Or are you asking to add a dedicated policy for this library?

Okay, from the stack trace, it looks like it is about insertCss function. Could you please re-submit this issue in the https://github.com/FortAwesome/Font-Awesome? As this does not come from the angular-fontawesome, but from the fontawesome-svg-core which is our dependency.