Sharing Top Content from the Angular-sphere.

Defending Angular Applications with a Content Security Policy

Defending Angular applications with a Content Security Policy (blog) Read more here

  • Kendo UI for Angular components are fully compatible with strict CSPs.
  • We’ve got an important update for you on Kendo UI support for Angular and Content Security Policies (CSPs).
  • Content Security Policy is a browser feature for protecting against cross-site scripting attacks (XSS), one of the most common attack vectors on the web.
  • The template engine in Kendo UI for jQuery requires `script-src: “unsafe-eval”` due to the use of dynamic code generation, much like the Angular JIT compiler.
  • In the context of Angular applications, the Intro to Web Security by Dominik Kundel (slides) talk from Angular Connect ’17 talk is definitely worth your time.

An effective CSP will provide you with a safety net against XSS attacks. Kendo UI for Angular components are fully compatible with strict CSPs.

An effective CSP will provide you with a safety net against XSS attacks. Kendo UI for Angular components are fully compatible with strict CSPs.

We’ve got an important update for you on Kendo UI support for Angular and Content Security Policies (CSPs). For the quick version, you can skim the summary right here, or dive into the full content below.

Content Security Policy is a browser feature for protecting against cross-site scripting attacks (XSS), one of the most common attack vectors on the web. It is a useful layer to have in your defense-in-depth strategy.

But it’s just that—a layer, not a complete solution in itself. Not all browsers support it, the most notable exception being IE prior to Edge.

An example policy that satisfies the rules above is: “script-src ‘self’; object-src ‘none'”

The CSP Evaluator tool can be used to identify problems with your policy. An extensive research on the real-world effectiveness of different policies is available in the CSP Is Dead, Long Live CSP! research paper.

How to use a strict policy in an Angular application?

Your application has to use Ahead of Time Compilation (AOT). The JIT compiler is not suitable as it must generate dynamic scripts at runtime.

As of this week—none. The @progress/kendo-data-query has dropped the use of “eval” in version 1.1.0, making the suite fully compatible with a strict CSP. A sample application is…

Defending Angular Applications with a Content Security Policy

Comments are closed, but trackbacks and pingbacks are open.