简体繁体中英

Why CSP evaluator warn No bypass found make sure that this URL doesnt serve JSONP replies or Angular libraries if I put script-src *.somesite.com?

原文 2020-05-26 04:58:53 3 1 angular/ xss/ content-security-policy

I understand the reason why CSP warns about JSONP endpoint because if my site has XSS vuln, having a JSONP endpoint should cause my site to be xss. But why Angular libraries? Can anyone demonstrate a payload that uses Angular library to cause xss?

1 answers

Some samples

You can trigger an Angular handler similarly to how you would with JSONP.

Since whitelisting domains can have a range of these bypasses, specially if they are widely used things like CDNs or APIs (common to host Angular, JSONP or redirects), they would usually render your policies useless.

Depending on your use case, the list of domains in a policy can grow very large and make it difficult to maintain and monitor for these bypasses.

Instead, it is recommended that you use CSP nonces. Explained by the authors of CSP Mitigator here

Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp?

the source list for content security policy directive 'script-src' contains an invalid source in safari angular 5

Angular 6: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”)

Error no angular: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"

Angular PUT request - URL not found

Injected CDN script is not executing again on updating src="URL" in Angular

Angular 4 img src is not found

How to make condition when image src 404 not found in angular

Bypass Angular unsafe URL's

Dynamic CSP (Content Security Policy) connect-src in Angular

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp? the source list for content security policy directive 'script-src' contains an invalid source in safari angular 5 Angular 6: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”) Error no angular: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'" Angular PUT request - URL not found Injected CDN script is not executing again on updating src="URL" in Angular Angular 4 img src is not found How to make condition when image src 404 not found in angular Bypass Angular unsafe URL's Dynamic CSP (Content Security Policy) connect-src in Angular

Related Tags

Why CSP evaluator warn No bypass found make sure that this URL doesnt serve JSONP replies or Angular libraries if I put script-src *.somesite.com?

Question

1 answers

solution1 1 2020-05-26 07:45:27

solution1
1 2020-05-26 07:45:27