koaex
commented
2 years ago If I understand correctly this is how it works right now:
- If Safari bug exists: Use getInertBodyElement_XHR
- Else if Firefox bug exists: Use getInertBodyElement_DOMParser
- Else: Use getInertBodyElement_InertDocument
Maybe it could be done like this instead?
- If Safari bug exists: Use getInertBodyElement_XHR
- Else if DOMParser is available: Use getInertBodyElement_DOMParser
- Else if Firefox bug exists: fail/throw/abort!
- Else: Use getInertBodyElement_InertDocument
This way, the Firefox CSP alert will not be triggered if DOMParser is available.
I guess this would mean that most browsers would use DOMParser instead of InertDocument. Are there any negative side effects of using DOMParser instead of InertDocument?
I'm submitting a ...
Current behavior:
If ngSanitize is added as a module dependency and a Content-Security-Policy is set that does not allow inline styles then Firefox shows the following message:
Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent.
Our CSP looks like this:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /foo
If ngSanitize is removed from the module dependencies then the CSP message disappears as well.
Expected / new behavior:
ngSanitize should work in Firefox without triggering CSP alerts, at least if the "ng-csp" mode is enabled.
Minimal reproduction of the problem with instructions:
Browser: Firefox 60.0a1 and 59.0b10
Anything else: I guess the following code triggers the CSP alert, since it adds an inline <styletag.
// Check for the Firefox bug - which prevents the inner img JS from being sanitized inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';From: https://github.com/angular/angular.js/blob/master/src/ngSanitize/sanitize.js Line 443-444