Open jkubiszewski opened 1 year ago
I think setting policy to angular#unsafe-bypass
per https://angular.io/guide/security#enforcing-trusted-types should work as we use Angular to set innerHTML
. Or are you asking to add a dedicated policy for this library?
Okay, from the stack trace, it looks like it is about insertCss
function. Could you please re-submit this issue in the https://github.com/FortAwesome/Font-Awesome? As this does not come from the angular-fontawesome
, but from the fontawesome-svg-core
which is our dependency.
Describe the problem you'd like to see solved or task you'd like to see made easier
I'm trying to use a CSP rule with trusted-types and I have an error that I'm not able to fix with angular-fontawesome.
What is 1 thing that we can do when building this feature that will guarantee that it is awesome?
angular-fontawesome should support for the Trusted Types API so that it can be seamlessly integrated into applications that enforce trusted types for all DOM XSS injection sinks (such as innerHTML setters) via the require-trusted-types-for CSP directive. Trusted Types are now fully supported in major browsers such as Chrome and Edge.
Why would other angular-fontawesome users care about this?
To effectively defend against XSS attacks.
On a scale of 1 (sometime in the future) to 10 (absolutely right now), how soon would you recommend we make this feature?
8