The CSP nonce remains in the DOM after being read by Angular #55359
Labels
area: security
Issues related to built-in security features, such as HTML sanitation
cross-cutting: CSP
Milestone
Which @angular/* package(s) are the source of the bug?
core
Is this a regression?
No
Description
When I use the
ngCspNonce
attribute in order to inject a nonce that is used by the framework to meet the browser's criteria forscript
andstyle
tags, I expect it to disappear from the DOM after the framework has retrieved it.As an attacker, its very easy for me to detect if an application is built with Angular, and retrieve the nonce in the DOM. It would be much harder for me if the nonce was encapsulated into JavaScript closures with no global reference to it.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
No response
Please provide the environment you discovered this bug in (run
ng version
)Anything else?
No response
The text was updated successfully, but these errors were encountered: