-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): do not use Function constructors in development mode to avoid CSP violations #43587
Conversation
13b5125
to
47b9880
Compare
For context: angular/packages/core/src/util/ng_dev_mode.ts Lines 54 to 57 in 4610093
|
5aa4b96
to
5c25e96
Compare
|
||
// If this is being compiled to ES5 then the array subclass has `Array` as constructor | ||
// instead of `SupportsArraySubclassing`. | ||
const targetSupportsArraySubclassing = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: this is currently always false
as our testing infrastructure is using ES5 code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks good to me. thanks @JoostK
…oid CSP violations This commit removes the dynamic creation of named arrays for internal runtime storage arrays as they may cause CSP violations in development mode, when an application's CSP configuration does not include `unsafe-eval`. Named arrays for view data can still be enabled in development mode using the `ngDevMode=namedConstructors` query parameter when loading the application. The usage of native class syntax for named arrays does not have the desired effect when the code is downleveled to ES5. Since ES5 targets are becoming increasingly more rare this is considered less of a problem than the CSP violation. Fixes angular#43494
5c25e96
to
f2aadfe
Compare
This PR was merged into the repository by commit 4f8eaac. |
…oid CSP violations (#43587) This commit removes the dynamic creation of named arrays for internal runtime storage arrays as they may cause CSP violations in development mode, when an application's CSP configuration does not include `unsafe-eval`. Named arrays for view data can still be enabled in development mode using the `ngDevMode=namedConstructors` query parameter when loading the application. The usage of native class syntax for named arrays does not have the desired effect when the code is downleveled to ES5. Since ES5 targets are becoming increasingly more rare this is considered less of a problem than the CSP violation. Fixes #43494 PR Close #43587
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
…oid CSP violations (angular#43587) This commit removes the dynamic creation of named arrays for internal runtime storage arrays as they may cause CSP violations in development mode, when an application's CSP configuration does not include `unsafe-eval`. Named arrays for view data can still be enabled in development mode using the `ngDevMode=namedConstructors` query parameter when loading the application. The usage of native class syntax for named arrays does not have the desired effect when the code is downleveled to ES5. Since ES5 targets are becoming increasingly more rare this is considered less of a problem than the CSP violation. Fixes angular#43494 PR Close angular#43587
This commit removes the dynamic creation of named arrays for internal
runtime storage arrays as they may cause CSP violations in development
mode, when an application's CSP configuration does not include
unsafe-eval
.Named arrays for view data can still be enabled in development mode
using the
ngDevMode=namedConstructors
query parameter when loading theapplication.
The usage of native class syntax for named arrays does not have the
desired effect when the code is downleveled to ES5. Since ES5 targets
are becoming increasingly more rare this is considered less of a problem
than the CSP violation.
Fixes #43494