You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which @angular/* package(s) are the source of the bug?
core
Is this a regression?
No
Description
When I use the ngCspNonce attribute in order to inject a nonce that is used by the framework to meet the browser's criteria for script and style tags, I expect it to disappear from the DOM after the framework has retrieved it.
As an attacker, its very easy for me to detect if an application is built with Angular, and retrieve the nonce in the DOM. It would be much harder for me if the nonce was encapsulated into JavaScript closures with no global reference to it.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
No response
Please provide the environment you discovered this bug in (run ng version)
The idea of the CSP nonce is that it cannot be guessed, not that it's private. How would an attacker perform the detection in an automated way to extract the CSP nonce for any user?
Which @angular/* package(s) are the source of the bug?
core
Is this a regression?
No
Description
When I use the
ngCspNonce
attribute in order to inject a nonce that is used by the framework to meet the browser's criteria forscript
andstyle
tags, I expect it to disappear from the DOM after the framework has retrieved it.As an attacker, its very easy for me to detect if an application is built with Angular, and retrieve the nonce in the DOM. It would be much harder for me if the nonce was encapsulated into JavaScript closures with no global reference to it.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
No response
Please provide the environment you discovered this bug in (run
ng version
)Anything else?
No response
The text was updated successfully, but these errors were encountered: