docs(ngCsp): update explanation of CSP rules and how they affect Angular
Update the description of CSP, mainly regarding `unsafe-eval` and `unsafe-inline`. The way it was presented previously was slightly misleading as it indicated that these were rules forbidding certain things, when in fact it's a keyword in the CSP that disables the very rule that was described. The updated text clarifies this better. Closes #15142
This commit is contained in:
committed by
Georgios Kalpakas
parent
f1cc58c7d2
commit
b59bc0b01d
+25
-19
@@ -7,28 +7,34 @@
|
||||
* @element html
|
||||
* @description
|
||||
*
|
||||
* Angular has some features that can break certain
|
||||
* Angular has some features that can conflict with certain restrictions that are applied when using
|
||||
* [CSP (Content Security Policy)](https://developer.mozilla.org/en/Security/CSP) rules.
|
||||
*
|
||||
* If you intend to implement these rules then you must tell Angular not to use these features.
|
||||
* If you intend to implement CSP with these rules then you must tell Angular not to use these
|
||||
* features.
|
||||
*
|
||||
* This is necessary when developing things like Google Chrome Extensions or Universal Windows Apps.
|
||||
*
|
||||
*
|
||||
* The following rules affect Angular:
|
||||
* The following default rules in CSP affect Angular:
|
||||
*
|
||||
* * `unsafe-eval`: this rule forbids apps to use `eval` or `Function(string)` generated functions
|
||||
* (among other things). Angular makes use of this in the {@link $parse} service to provide a 30%
|
||||
* increase in the speed of evaluating Angular expressions.
|
||||
* * The use of `eval()`, `Function(string)` and similar functions to dynamically create and execute
|
||||
* code from strings is forbidden. Angular makes use of this in the {@link $parse} service to
|
||||
* provide a 30% increase in the speed of evaluating Angular expressions. (This CSP rule can be
|
||||
* disabled with the CSP keyword `unsafe-eval`, but it is generally not recommended as it would
|
||||
* weaken the protections offered by CSP.)
|
||||
*
|
||||
* * `unsafe-inline`: this rule forbids apps from inject custom styles into the document. Angular
|
||||
* makes use of this to include some CSS rules (e.g. {@link ngCloak} and {@link ngHide}).
|
||||
* To make these directives work when a CSP rule is blocking inline styles, you must link to the
|
||||
* `angular-csp.css` in your HTML manually.
|
||||
* * The use of inline resources, such as inline `<script>` and `<style>` elements, are forbidden.
|
||||
* This prevents apps from injecting custom styles directly into the document. Angular makes use of
|
||||
* this to include some CSS rules (e.g. {@link ngCloak} and {@link ngHide}). To make these
|
||||
* directives work when a CSP rule is blocking inline styles, you must link to the `angular-csp.css`
|
||||
* in your HTML manually. (This CSP rule can be disabled with the CSP keyword `unsafe-inline`, but
|
||||
* it is generally not recommended as it would weaken the protections offered by CSP.)
|
||||
*
|
||||
* If you do not provide `ngCsp` then Angular tries to autodetect if CSP is blocking unsafe-eval
|
||||
* and automatically deactivates this feature in the {@link $parse} service. This autodetection,
|
||||
* however, triggers a CSP error to be logged in the console:
|
||||
* If you do not provide `ngCsp` then Angular tries to autodetect if CSP is blocking dynamic code
|
||||
* creation from strings (e.g., `unsafe-eval` not specified in CSP header) and automatically
|
||||
* deactivates this feature in the {@link $parse} service. This autodetection, however, triggers a
|
||||
* CSP error to be logged in the console:
|
||||
*
|
||||
* ```
|
||||
* Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of
|
||||
@@ -53,15 +59,15 @@
|
||||
*
|
||||
*
|
||||
* * No declaration means that Angular will assume that you can do inline styles, but it will do
|
||||
* a runtime check for unsafe-eval. E.g. `<body>`. This is backwardly compatible with previous versions
|
||||
* of Angular.
|
||||
* a runtime check for unsafe-eval. E.g. `<body>`. This is backwardly compatible with previous
|
||||
* versions of Angular.
|
||||
*
|
||||
* * A simple `ng-csp` (or `data-ng-csp`) attribute will tell Angular to deactivate both inline
|
||||
* styles and unsafe eval. E.g. `<body ng-csp>`. This is backwardly compatible with previous versions
|
||||
* of Angular.
|
||||
* styles and unsafe eval. E.g. `<body ng-csp>`. This is backwardly compatible with previous
|
||||
* versions of Angular.
|
||||
*
|
||||
* * Specifying only `no-unsafe-eval` tells Angular that we must not use eval, but that we can inject
|
||||
* inline styles. E.g. `<body ng-csp="no-unsafe-eval">`.
|
||||
* * Specifying only `no-unsafe-eval` tells Angular that we must not use eval, but that we can
|
||||
* inject inline styles. E.g. `<body ng-csp="no-unsafe-eval">`.
|
||||
*
|
||||
* * Specifying only `no-inline-style` tells Angular that we must not inject styles, but that we can
|
||||
* run eval - no automatic check for unsafe eval will occur. E.g. `<body ng-csp="no-inline-style">`
|
||||
|
||||
Reference in New Issue
Block a user