5 lines
29 KiB
JSON
5 lines
29 KiB
JSON
{
|
||
"id": "guide/security",
|
||
"title": "Security",
|
||
"contents": "\n\n\n<div class=\"github-links\">\n <a href=\"https://github.com/angular/angular/edit/master/aio/content/guide/security.md?message=docs%3A%20describe%20your%20change...\" aria-label=\"Suggest Edits\" title=\"Suggest Edits\"><i class=\"material-icons\" aria-hidden=\"true\" role=\"img\">mode_edit</i></a>\n</div>\n\n\n<div class=\"content\">\n <h1 id=\"security\">Security<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#security\"><i class=\"material-icons\">link</i></a></h1>\n<p>This topic describes Angular's built-in\nprotections against common web-application vulnerabilities and attacks such as cross-site\nscripting attacks. It doesn't cover application-level security, such as authentication and authorization.</p>\n<p>For more information about the attacks and mitigations described below, see <a href=\"https://www.owasp.org/index.php/Category:OWASP_Guide_Project\">OWASP Guide Project</a>.</p>\n<p>You can run the <live-example></live-example> in Stackblitz and download the code from there.</p>\n<div class=\"callout is-important\">\n<a id=\"report-issues\"></a>\n<header>Reporting vulnerabilities</header>\n<p>To report vulnerabilities in Angular itself, email us at <a href=\"mailto:security@angular.io\">security@angular.io</a>.</p>\n<p>For more information about how Google handles security issues, see <a href=\"https://www.google.com/about/appsecurity/\">Google's security\nphilosophy</a>.</p>\n</div>\n<div class=\"callout is-helpful\">\n<a id=\"best-practices\"></a>\n<header>Best practices</header>\n<ul>\n<li>\n<p><strong>Keep current with the latest Angular library releases.</strong>\nWe regularly update the Angular libraries, and these updates may fix security defects discovered in\nprevious versions. Check the Angular <a href=\"https://github.com/angular/angular/blob/master/CHANGELOG.md\">change\nlog</a> for security-related updates.</p>\n</li>\n<li>\n<p><strong>Don't modify your copy of Angular.</strong>\nPrivate, customized versions of Angular tend to fall behind the current version and may not include\nimportant security fixes and enhancements. Instead, share your Angular improvements with the\ncommunity and make a pull request.</p>\n</li>\n<li>\n<p><strong>Avoid Angular APIs marked in the documentation as “<em>Security Risk</em>.”</strong>\nFor more information, see the <a href=\"guide/security#bypass-security-apis\">Trusting safe values</a> section of this page.</p>\n</li>\n</ul>\n</div>\n<h2 id=\"preventing-cross-site-scripting-xss\">Preventing cross-site scripting (XSS)<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#preventing-cross-site-scripting-xss\"><i class=\"material-icons\">link</i></a></h2>\n<p><a href=\"https://en.wikipedia.org/wiki/Cross-site_scripting\">Cross-site scripting (XSS)</a> enables attackers\nto inject malicious code into web pages. Such code can then, for example, steal user data (in\nparticular, login data) or perform actions to impersonate the user. This is one of the most\ncommon attacks on the web.</p>\n<p>To block XSS attacks, you must prevent malicious code from entering the DOM (Document Object Model). For example, if\nattackers can trick you into inserting a <code><script></code> tag in the DOM, they can run arbitrary code on\nyour website. The attack isn't limited to <code><script></code> tags—many elements and properties in the\nDOM allow code execution, for example, <code><img onerror=\"...\"></code> and <code><a href=\"javascript:...\"></code>. If\nattacker-controlled data enters the DOM, expect security vulnerabilities.</p>\n<h3 id=\"angulars-cross-site-scripting-security-model\">Angular’s cross-site scripting security model<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#angulars-cross-site-scripting-security-model\"><i class=\"material-icons\">link</i></a></h3>\n<p>To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values. If a value was already sanitized outside of Angular and is considered safe, you can communicate this to Angular by marking the <a href=\"guide/security#bypass-security-apis\">value as trusted</a>.</p>\n<p>Unlike values to be used for rendering, Angular templates are considered trusted by default, and should be treated as executable code. Never generate templates by concatenating user input and template syntax. Doing this would enable attackers to <a href=\"https://en.wikipedia.org/wiki/Code_injection\">inject arbitrary code</a> into your application. To prevent these vulnerabilities, always use the default <a href=\"/guide/security#offline-template-compiler\">AOT template compiler</a> in production deployments.</p>\n<p>An additional layer of protection can be provided through the use of Content security policy and Trusted Types. These web platform features operate at the DOM level which is the most effective place to prevent XSS issues because they can't be bypassed using other, lower-level APIs. For this reason, we strongly encourage developers to take advantage of these features by configuring the <a href=\"guide/security#content-security-policy\">content security policy</a> for their application and enabling <a href=\"guide/security#trusted-types\">trusted types enforcement</a>.</p>\n<h3 id=\"sanitization-and-security-contexts\">Sanitization and security contexts<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#sanitization-and-security-contexts\"><i class=\"material-icons\">link</i></a></h3>\n<p><em>Sanitization</em> is the inspection of an untrusted value, turning it into a value that's safe to insert into\nthe DOM. In many cases, sanitization doesn't change a value at all. Sanitization depends on context:\na value that's harmless in CSS is potentially dangerous in a URL.</p>\n<p>Angular defines the following security contexts:</p>\n<ul>\n<li><strong>HTML</strong> is used when interpreting a value as HTML, for example, when binding to <code>innerHtml</code>.</li>\n<li><strong>Style</strong> is used when binding CSS into the <code><a href=\"api/animations/style\" class=\"code-anchor\">style</a></code> property.</li>\n<li><strong>URL</strong> is used for URL properties, such as <code><a href></code>.</li>\n<li><strong>Resource URL</strong> is a URL that will be loaded and executed as code, for example, in <code><script src></code>.</li>\n</ul>\n<p>Angular sanitizes untrusted values for HTML, styles, and URLs; sanitizing resource URLs isn't\npossible because they contain arbitrary code. In development mode, Angular prints a console warning\nwhen it has to change a value during sanitization.</p>\n<h3 id=\"sanitization-example\">Sanitization example<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#sanitization-example\"><i class=\"material-icons\">link</i></a></h3>\n<p>The following template binds the value of <code>htmlSnippet</code>, once by interpolating it into an element's\ncontent, and once by binding it to the <code>innerHTML</code> property of an element:</p>\n<code-example path=\"security/src/app/inner-html-binding.component.html\" header=\"src/app/inner-html-binding.component.html\">\n<h3>Binding innerHTML</h3>\n<p>Bound value:</p>\n<p class=\"e2e-inner-html-interpolated\">{{htmlSnippet}}</p>\n<p>Result of binding to innerHTML:</p>\n<p class=\"e2e-inner-html-bound\" [innerHTML]=\"htmlSnippet\"></p>\n\n\n</code-example>\n<p>Interpolated content is always escaped—the HTML isn't interpreted and the browser displays\nangle brackets in the element's text content.</p>\n<p>For the HTML to be interpreted, bind it to an HTML property such as <code>innerHTML</code>. But binding\na value that an attacker might control into <code>innerHTML</code> normally causes an XSS\nvulnerability. For example, one could execute JavaScript in a following way:</p>\n<code-example path=\"security/src/app/inner-html-binding.component.ts\" header=\"src/app/inner-html-binding.component.ts (class)\" region=\"class\">\nexport class InnerHtmlBindingComponent {\n // For example, a user/attacker-controlled value from a URL.\n htmlSnippet = 'Template <script>alert(\"0wned\")</script> <b>Syntax</b>';\n}\n\n\n</code-example>\n<p>Angular recognizes the value as unsafe and automatically sanitizes it, which removes the <code>script</code> element but keeps safe content such as the <code><b></code> element.</p>\n<div class=\"lightbox\">\n <img src=\"generated/images/guide/security/binding-inner-html.png\" alt=\"A screenshot showing interpolated and bound HTML values\" width=\"400\" height=\"114\">\n</div>\n<h3 id=\"direct-use-of-the-dom-apis-and-explicit-sanitization-calls\">Direct use of the DOM APIs and explicit sanitization calls<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#direct-use-of-the-dom-apis-and-explicit-sanitization-calls\"><i class=\"material-icons\">link</i></a></h3>\n<p>Unless you enforce Trusted Types, the built-in browser DOM APIs don't automatically protect you from security vulnerabilities.\nFor example, <code>document</code>, the node available through <code><a href=\"api/core/ElementRef\" class=\"code-anchor\">ElementRef</a></code>, and many third-party APIs\ncontain unsafe methods. In the same way, if you interact with other libraries that manipulate\nthe DOM, you likely won't have the same automatic sanitization as with Angular interpolations.\nAvoid directly interacting with the DOM and instead use Angular templates where possible.</p>\n<p>For cases where this is unavoidable, use the built-in Angular sanitization functions.\nSanitize untrusted values with the <a href=\"api/platform-browser/DomSanitizer#sanitize\">DomSanitizer.sanitize</a>\nmethod and the appropriate <code><a href=\"api/core/SecurityContext\" class=\"code-anchor\">SecurityContext</a></code>. That function also accepts values that were\nmarked as trusted using the <code>bypassSecurityTrust</code>... functions, and will not sanitize them,\nas <a href=\"guide/security#bypass-security-apis\">described below</a>.</p>\n<a id=\"bypass-security-apis\"></a>\n<h3 id=\"trusting-safe-values\">Trusting safe values<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#trusting-safe-values\"><i class=\"material-icons\">link</i></a></h3>\n<p>Sometimes applications genuinely need to include executable code, display an <code><iframe></code> from some\nURL, or construct potentially dangerous URLs. To prevent automatic sanitization in any of these\nsituations, you can tell Angular that you inspected a value, checked how it was generated, and made\nsure it will always be secure. But <em>be careful</em>. If you trust a value that might be malicious, you\nare introducing a security vulnerability into your application. If in doubt, find a professional\nsecurity reviewer.</p>\n<p>To mark a value as trusted, inject <code><a href=\"api/platform-browser/DomSanitizer\" class=\"code-anchor\">DomSanitizer</a></code> and call one of the\nfollowing methods:</p>\n<ul>\n<li><code>bypassSecurityTrustHtml</code></li>\n<li><code>bypassSecurityTrustScript</code></li>\n<li><code>bypassSecurityTrustStyle</code></li>\n<li><code>bypassSecurityTrustUrl</code></li>\n<li><code>bypassSecurityTrustResourceUrl</code></li>\n</ul>\n<p>Remember, whether a value is safe depends on context, so choose the right context for\nyour intended use of the value. Imagine that the following template needs to bind a URL to a\n<code>javascript:alert(...)</code> call:</p>\n<code-example path=\"security/src/app/bypass-security.component.html\" header=\"src/app/bypass-security.component.html (URL)\" region=\"URL\">\n<h4>An untrusted URL:</h4>\n<p><a class=\"e2e-dangerous-url\" [href]=\"dangerousUrl\">Click me</a></p>\n<h4>A trusted URL:</h4>\n<p><a class=\"e2e-trusted-url\" [href]=\"trustedUrl\">Click me</a></p>\n\n</code-example>\n<p>Normally, Angular automatically sanitizes the URL, disables the dangerous code, and\nin development mode, logs this action to the console. To prevent\nthis, mark the URL value as a trusted URL using the <code>bypassSecurityTrustUrl</code> call:</p>\n<code-example path=\"security/src/app/bypass-security.component.ts\" header=\"src/app/bypass-security.component.ts (trust-url)\" region=\"trust-url\">\nconstructor(private sanitizer: <a href=\"api/platform-browser/DomSanitizer\" class=\"code-anchor\">DomSanitizer</a>) {\n // javascript: URLs are dangerous if attacker controlled.\n // Angular sanitizes them in data binding, but you can\n // explicitly tell Angular to trust this value:\n this.dangerousUrl = 'javascript:alert(\"Hi there\")';\n this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);\n\n</code-example>\n<div class=\"lightbox\">\n <img src=\"generated/images/guide/security/bypass-security-component.png\" alt=\"A screenshot showing an alert box created from a trusted URL\" width=\"454\" height=\"175\">\n</div>\n<p>If you need to convert user input into a trusted value, use a\ncomponent method. The following template allows users to enter a YouTube video ID and load the\ncorresponding video in an <code><iframe></code>. The <code><iframe src></code> attribute is a resource URL security\ncontext, because an untrusted source can, for example, smuggle in file downloads that unsuspecting users\ncould execute. So call a method on the component to construct a trusted video URL, which causes\nAngular to allow binding into <code><iframe src></code>:</p>\n<code-example path=\"security/src/app/bypass-security.component.html\" header=\"src/app/bypass-security.component.html (iframe)\" region=\"iframe\">\n<h4>Resource URL:</h4>\n<p>Showing: {{dangerousVideoUrl}}</p>\n<p>Trusted:</p>\n<iframe class=\"e2e-iframe-trusted-src\" width=\"640\" height=\"390\" [src]=\"videoUrl\"></iframe>\n<p>Untrusted:</p>\n<iframe class=\"e2e-iframe-untrusted-src\" width=\"640\" height=\"390\" [src]=\"dangerousVideoUrl\"></iframe>\n\n\n</code-example>\n<code-example path=\"security/src/app/bypass-security.component.ts\" header=\"src/app/bypass-security.component.ts (trust-video-url)\" region=\"trust-video-url\">\nupdateVideoUrl(id: string) {\n // Appending an ID to a YouTube URL is safe.\n // Always make sure to construct <a href=\"api/platform-browser/SafeValue\" class=\"code-anchor\">SafeValue</a> objects as\n // close as possible to the input data so\n // that it's easier to check if the value is safe.\n this.dangerousVideoUrl = 'https://www.youtube.com/embed/' + id;\n this.videoUrl =\n this.sanitizer.bypassSecurityTrustResourceUrl(this.dangerousVideoUrl);\n}\n\n</code-example>\n<a id=\"content-security-policy\"></a>\n<h3 id=\"content-security-policy\">Content security policy<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#content-security-policy\"><i class=\"material-icons\">link</i></a></h3>\n<p>Content Security Policy (CSP) is a defense-in-depth\ntechnique to prevent XSS. To enable CSP, configure your web server to return an appropriate\n<code>Content-Security-Policy</code> HTTP header. Read more about content security policy at the\n<a href=\"https://developers.google.com/web/fundamentals/security/csp\">Web Fundamentals guide</a> on the\nGoogle Developers website.</p>\n<a id=\"trusted-types\"></a>\n<h3 id=\"enforcing-trusted-types\">Enforcing Trusted Types<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#enforcing-trusted-types\"><i class=\"material-icons\">link</i></a></h3>\n<p>We recommend the use of <a href=\"https://w3c.github.io/webappsec-trusted-types/dist/spec/\">Trusted Types</a> as a way to help secure your applications from cross-site scripting attacks. Trusted Types is a <a href=\"https://en.wikipedia.org/wiki/Web_platform\">web platform</a>\nfeature that can help you prevent cross-site scripting attacks by enforcing\nsafer coding practices. Trusted Types can also help simplify the auditing of application code.</p>\n<div class=\"callout is-helpful\">\n<p>Trusted Types might not yet be available in all browsers your application targets. In the case your Trusted-Types-enabled application runs in a browser that doesn't support Trusted Types, the functionality of the application will be preserved, and your application will be guarded against XSS via Angular's DomSanitizer. See <a href=\"https://caniuse.com/trusted-types\">caniuse.com/trusted-types</a> for the current browser support.</p>\n</div>\n<p>To enforce Trusted Types for your application, you must configure your application's web server to emit HTTP headers with one of the following Angular policies:</p>\n<ul>\n<li><code>angular</code> - This policy is used in security-reviewed code that is internal to Angular, and is required for Angular to function when Trusted Types are enforced. Any inline template values or content sanitized by Angular is treated as safe by this policy.</li>\n<li><code>angular#unsafe-bypass</code> - This policy is used for applications that use any of the methods in Angular's <a href=\"api/platform-browser/DomSanitizer\">DomSanitizer</a> that bypass security, such as <code>bypassSecurityTrustHtml</code>. Any application that uses these methods must enable this policy.</li>\n<li><code>angular#unsafe-jit</code> - This policy is used by the <a href=\"api/core/Compiler\">JIT compiler</a>. You must enable this policy if your application interacts directly with the JIT compiler or is running in JIT mode using the <a href=\"api/platform-browser-dynamic/platformBrowserDynamic\">platform browser dynamic</a>.</li>\n</ul>\n<p>You should configure the HTTP headers for Trusted Types in the following locations:</p>\n<ul>\n<li>Production serving infrastructure</li>\n<li>Angular CLI (<code>ng serve</code>), using the <code>headers</code> property in the <code>angular.json</code> file, for local development and end-to-end testing</li>\n<li>Karma (<code>ng test</code>), using the <code>customHeaders</code> property in the <code>karma.config.js</code> file, for unit testing</li>\n</ul>\n<p>The following is an example of a header specifically configured for Trusted Types and Angular:</p>\n<code-example language=\"html\">\nContent-Security-Policy: trusted-types angular; require-trusted-types-for 'script';\n</code-example>\n<p>The following is an example of a header specifically configured for Trusted Types and Angular applications that use any of the methods in Angular's <a href=\"api/platform-browser/DomSanitizer\">DomSanitizer</a> that bypasses security.</p>\n<code-example language=\"html\">\nContent-Security-Policy: trusted-types angular angular#unsafe-bypass; require-trusted-types-for 'script';\n</code-example>\n<p>The following is an example of a header specifically configured for Trusted Types and Angular applications using JIT:</p>\n<code-example language=\"html\">\nContent-Security-Policy: trusted-types angular angular#unsafe-jit; require-trusted-types-for 'script';\n</code-example>\n<div class=\"callout is-helpful\">\n<header>Community contributions</header>\n<p>To learn more about troubleshooting Trusted Type configurations, the following resource might be helpful:</p>\n<p><a href=\"https://web.dev/trusted-types/#how-to-use-trusted-types\">Prevent DOM-based cross-site scripting vulnerabilities with Trusted Types</a></p>\n</div>\n<a id=\"offline-template-compiler\"></a>\n<h3 id=\"use-the-aot-template-compiler\">Use the AOT template compiler<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#use-the-aot-template-compiler\"><i class=\"material-icons\">link</i></a></h3>\n<p>The AOT template compiler prevents a whole class of vulnerabilities called template injection,\nand greatly improves application performance. The AOT template compiler is the default compiler used by Angular CLI applications, and you should use it in all production deployments.</p>\n<p>An alternative to the AOT compiler is the JIT compiler which compiles templates to executable template code within the browser at runtime. Angular trusts template code, so dynamically generating templates and compiling them, in particular templates containing user data, circumvents Angular's built-in protections and is a security anti-pattern. For information about dynamically constructing forms in a safe way, see the <a href=\"guide/dynamic-form\">Dynamic Forms</a> guide.</p>\n<a id=\"server-side-xss\"></a>\n<h3 id=\"server-side-xss-protection\">Server-side XSS protection<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#server-side-xss-protection\"><i class=\"material-icons\">link</i></a></h3>\n<p>HTML constructed on the server is vulnerable to injection attacks. Injecting template code into an Angular application is the same as injecting executable code into the application: it gives the attacker full control over the application. To prevent this, use a templating language that automatically escapes values to prevent XSS vulnerabilities on the server. Don't generate Angular templates on the server side using a templating language; doing this carries a high risk of introducing template-injection vulnerabilities.</p>\n<a id=\"http\"></a>\n<h2 id=\"http-level-vulnerabilities\">HTTP-level vulnerabilities<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#http-level-vulnerabilities\"><i class=\"material-icons\">link</i></a></h2>\n<p>Angular has built-in support to help prevent two common HTTP vulnerabilities, cross-site request\nforgery (CSRF or XSRF) and cross-site script inclusion (XSSI). Both of these must be mitigated primarily\non the server side, but Angular provides helpers to make integration on the client side easier.</p>\n<a id=\"xsrf\"></a>\n<h3 id=\"cross-site-request-forgery\">Cross-site request forgery<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#cross-site-request-forgery\"><i class=\"material-icons\">link</i></a></h3>\n<p>In a cross-site request forgery (CSRF or XSRF), an attacker tricks the user into visiting\na different web page (such as <code>evil.com</code>) with malignant code that secretly sends a malicious request\nto the application's web server (such as <code>example-bank.com</code>).</p>\n<p>Assume the user is logged into the application at <code>example-bank.com</code>.\nThe user opens an email and clicks a link to <code>evil.com</code>, which opens in a new tab.</p>\n<p>The <code>evil.com</code> page immediately sends a malicious request to <code>example-bank.com</code>.\nPerhaps it's a request to transfer money from the user's account to the attacker's account.\nThe browser automatically sends the <code>example-bank.com</code> cookies (including the authentication cookie) with this request.</p>\n<p>If the <code>example-bank.com</code> server lacks XSRF protection, it can't tell the difference between a legitimate\nrequest from the application and the forged request from <code>evil.com</code>.</p>\n<p>To prevent this, the application must ensure that a user request originates from the real\napplication, not from a different site.\nThe server and client must cooperate to thwart this attack.</p>\n<p>In a common anti-XSRF technique, the application server sends a randomly\ngenerated authentication token in a cookie.\nThe client code reads the cookie and adds a custom request header with the token in all subsequent requests.\nThe server compares the received cookie value to the request header value and rejects the request if the values are missing or don't match.</p>\n<p>This technique is effective because all browsers implement the <em>same origin policy</em>. Only code from the website\non which cookies are set can read the cookies from that site and set custom headers on requests to that site.\nThat means only your application can read this cookie token and set the custom header. The malicious code on <code>evil.com</code> can't.</p>\n<p>Angular's <code><a href=\"api/common/http/HttpClient\" class=\"code-anchor\">HttpClient</a></code> has built-in support for the client-side half of this technique. Read about it more in the <a href=\"/guide/http#security-xsrf-protection\">HttpClient guide</a>.</p>\n<p>For information about CSRF at the Open Web Application Security Project (OWASP), see\n<a href=\"https://owasp.org/www-community/attacks/csrf\">Cross-Site Request Forgery (CSRF)</a> and\n<a href=\"https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html\">Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</a>.\nThe Stanford University paper\n<a href=\"https://seclab.stanford.edu/websec/csrf/csrf.pdf\">Robust Defenses for Cross-Site Request Forgery</a> is a rich source of detail.</p>\n<p>See also Dave Smith's easy-to-understand\n<a href=\"https://www.youtube.com/watch?v=9inczw6qtpY\" title=\"Cross Site Request Funkery Securing Your Angular Apps From Evil Doers\">talk on XSRF at AngularConnect 2016</a>.</p>\n<a id=\"xssi\"></a>\n<h3 id=\"cross-site-script-inclusion-xssi\">Cross-site script inclusion (XSSI)<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#cross-site-script-inclusion-xssi\"><i class=\"material-icons\">link</i></a></h3>\n<p>Cross-site script inclusion, also known as JSON vulnerability, can allow an attacker's website to\nread data from a JSON API. The attack works on older browsers by overriding native JavaScript\nobject constructors, and then including an API URL using a <code><script></code> tag.</p>\n<p>This attack is only successful if the returned JSON is executable as JavaScript. Servers can\nprevent an attack by prefixing all JSON responses to make them non-executable, by convention, using the\nwell-known string <code>\")]}',\\n\"</code>.</p>\n<p>Angular's <code><a href=\"api/common/http/HttpClient\" class=\"code-anchor\">HttpClient</a></code> library recognizes this convention and automatically strips the string\n<code>\")]}',\\n\"</code> from all responses before further parsing.</p>\n<p>For more information, see the XSSI section of this <a href=\"https://security.googleblog.com/2011/05/website-security-for-webmasters.html\">Google web security blog\npost</a>.</p>\n<a id=\"code-review\"></a>\n<h2 id=\"auditing-angular-applications\">Auditing Angular applications<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#auditing-angular-applications\"><i class=\"material-icons\">link</i></a></h2>\n<p>Angular applications must follow the same security principles as regular web applications, and\nmust be audited as such. Angular-specific APIs that should be audited in a security review,\nsuch as the <a href=\"guide/security#bypass-security-apis\"><em>bypassSecurityTrust</em></a> methods, are marked in the documentation\nas security sensitive.</p>\n\n \n</div>\n\n<!-- links to this doc:\n - guide/architecture-next-steps\n - guide/example-apps-list\n - guide/property-binding\n - guide/template-syntax\n-->\n<!-- links from this doc:\n - /guide/http#security-xsrf-protection\n - /guide/security#offline-template-compiler\n - api/animations/style\n - api/common/http/HttpClient\n - api/core/Compiler\n - api/core/ElementRef\n - api/core/SecurityContext\n - api/platform-browser-dynamic/platformBrowserDynamic\n - api/platform-browser/DomSanitizer\n - api/platform-browser/DomSanitizer#sanitize\n - api/platform-browser/SafeValue\n - guide/dynamic-form\n - guide/security#angulars-cross-site-scripting-security-model\n - guide/security#auditing-angular-applications\n - guide/security#bypass-security-apis\n - guide/security#content-security-policy\n - guide/security#cross-site-request-forgery\n - guide/security#cross-site-script-inclusion-xssi\n - guide/security#direct-use-of-the-dom-apis-and-explicit-sanitization-calls\n - guide/security#enforcing-trusted-types\n - guide/security#http-level-vulnerabilities\n - guide/security#preventing-cross-site-scripting-xss\n - guide/security#sanitization-and-security-contexts\n - guide/security#sanitization-example\n - guide/security#security\n - guide/security#server-side-xss-protection\n - guide/security#trusted-types\n - guide/security#trusting-safe-values\n - guide/security#use-the-aot-template-compiler\n - https://caniuse.com/trusted-types\n - https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html\n - https://developers.google.com/web/fundamentals/security/csp\n - https://en.wikipedia.org/wiki/Code_injection\n - https://en.wikipedia.org/wiki/Cross-site_scripting\n - https://en.wikipedia.org/wiki/Web_platform\n - https://github.com/angular/angular/blob/master/CHANGELOG.md\n - https://github.com/angular/angular/edit/master/aio/content/guide/security.md?message=docs%3A%20describe%20your%20change...\n - https://owasp.org/www-community/attacks/csrf\n - https://seclab.stanford.edu/websec/csrf/csrf.pdf\n - https://security.googleblog.com/2011/05/website-security-for-webmasters.html\n - https://w3c.github.io/webappsec-trusted-types/dist/spec/\n - https://web.dev/trusted-types/#how-to-use-trusted-types\n - https://www.google.com/about/appsecurity/\n - https://www.owasp.org/index.php/Category:OWASP_Guide_Project\n - https://www.youtube.com/watch?v=9inczw6qtpY\n - mailto:security@angular.io\n-->"
|
||
} |