Sharing Top Content from the Angular-sphere.

fix(security): do not auto-bootstrap when loaded from an extension. · angular/angular.js@0ff10e1 · GitHub

Angular Content Security Policy (CSP) Bypass  #websec #xss #infosec

  • – The tests are a bit indirect as reproducing the actual scenario is too complicated to reproduce (requires signing an extension etc).
  • + // Fake a minimal document object (the actual document.currentScript is readonly).
  • + it ( ‘ should not bootstrap from an extension into a non-extension document ‘ , function () {
  • Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacked can load Angular from the extension, and Angular’s auto-bootstrapping can be used to bypass the victim site’s CSP protection.
  • fix(security): do not auto-bootstrap when loaded from an extension.

angular.js – AngularJS – HTML enhanced for web apps!

@ptracesecurity: Angular Content Security Policy (CSP) Bypass #websec #xss #infosec

Extension URIs (`resource://…`) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacked can load Angular from the extension, and Angular’s auto-bootstrapping can be used to bypass the victim site’s CSP protection. Notes: – `isAutoBootstrapAllowed` must be initialized on load, so that `currentScript` is set correctly. – The tests are a bit indirect as reproducing the actual scenario is too complicated to reproduce (requires signing an extension etc). I have confirmed this to be working manually. Closes #15346

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

fix(security): do not auto-bootstrap when loaded from an extension. · angular/angular.js@0ff10e1 · GitHub

Comments are closed, but trackbacks and pingbacks are open.