Skip to content

fix(upgrade): Address Trusted Types violations in @angular/upgrade #57454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bjarkler wants to merge 1 commit into from
Closed

fix(upgrade): Address Trusted Types violations in @angular/upgrade #57454

bjarkler wants to merge 1 commit into from

Conversation

@bjarkler
Copy link
Contributor

@bjarkler bjarkler commented Aug 19, 2024

Angular applications that are AngularJS hybrids are currently unable to adopt Trusted Types due to violations eminating from an innerHTML assignment in the @angular/upgrade package. This commit allows developers of such applications to optionally ignore this class of violations by configuring the Trusted Types header to allow the new angular#unsafe-upgrade policy.

Note that the policy is explicitly labeled as unsafe as it does not in any way mitigate the security risk of using AngularJS in an Angular application, but does unblock Trusted Types adoption enabling XSS protection for other parts of the application.

The implementation follows the approach taken in @angular/core; see packages/core/src/util/security.

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • angular.io application / infrastructure changes
  • Other... Please describe:

What is the current behavior?

The @angular/upgrade package emits Trusted Types violations, blocking adoption of the security feature.

Issue Number: N/A

What is the new behavior?

The Trusted Types violations can be ignored by allowing the new angular#unsafe-upgrade Trusted Types policy. There are no functional changes.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@bjarkler bjarkler requested a review from jelbourn August 19, 2024 18:21
@pullapprove pullapprove bot requested a review from thePunderWoman August 19, 2024 18:21
@angular-robot angular-robot bot added the area: upgrade Issues related to AngularJS → Angular upgrade APIs label Aug 19, 2024
@ngbot ngbot bot added this to the Backlog milestone Aug 19, 2024
@bjarkler
Copy link
Contributor Author

bjarkler commented Aug 19, 2024

Presubmit (TGP).

@bjarkler bjarkler force-pushed the upgrade-package-trusted-types branch 2 times, most recently from c968dbf to ff30510 Compare August 19, 2024 18:44
@bjarkler
fix(upgrade): Address Trusted Types violations in @angular/upgrade
f626593 
Angular applications that are AngularJS hybrids are currently unable to
adopt Trusted Types due to violations eminating from an innerHTML
assignment in the @angular/upgrade package. This commit allows
developers of such applications to optionally ignore this class of
violations by configuring the Trusted Types header to allow the new
angular#unsafe-upgrade policy.

Note that the policy is explicitly labeled as unsafe as it does not in
any way mitigate the security risk of using AngularJS in an Angular
application, but does unblock Trusted Types adoption enabling XSS
protection for other parts of the application.

The implementation follows the approach taken in @angular/core;
see packages/core/src/util/security.
@bjarkler bjarkler force-pushed the upgrade-package-trusted-types branch from ff30510 to f626593 Compare August 19, 2024 22:29
jelbourn
jelbourn approved these changes Aug 19, 2024
View reviewed changes
Copy link
Member

@jelbourn jelbourn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

thePunderWoman
thePunderWoman approved these changes Aug 23, 2024
View reviewed changes
Copy link
Contributor

@thePunderWoman thePunderWoman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@alxhub alxhub added action: merge The PR is ready for merge by the caretaker target: patch This PR is targeted for the next patch release labels Aug 26, 2024
@alxhub
Copy link
Member

alxhub commented Aug 26, 2024

This PR was merged into the repository by commit c9d9078.

The changes were merged into the following branches: main, 18.2.x

@alxhub alxhub closed this in c9d9078 Aug 26, 2024
alxhub pushed a commit that referenced this pull request Aug 26, 2024
@bjarkler @alxhub
fix(upgrade): Address Trusted Types violations in @angular/upgrade (#…
03ec620 
…57454)

Angular applications that are AngularJS hybrids are currently unable to
adopt Trusted Types due to violations eminating from an innerHTML
assignment in the @angular/upgrade package. This commit allows
developers of such applications to optionally ignore this class of
violations by configuring the Trusted Types header to allow the new
angular#unsafe-upgrade policy.

Note that the policy is explicitly labeled as unsafe as it does not in
any way mitigate the security risk of using AngularJS in an Angular
application, but does unblock Trusted Types adoption enabling XSS
protection for other parts of the application.

The implementation follows the approach taken in @angular/core;
see packages/core/src/util/security.

PR Close #57454
@davidjbradshaw davidjbradshaw mentioned this pull request Sep 6, 2024
Merged
This was referenced Sep 15, 2024
Open
Open
@bdr0id bdr0id mentioned this pull request Sep 19, 2024
Closed
@V-Paranoiaque V-Paranoiaque mentioned this pull request Sep 19, 2024
Closed
@aam-digital-ci aam-digital-ci mentioned this pull request Sep 19, 2024
Closed
@kidwen kidwen mentioned this pull request Sep 19, 2024
Closed
@rajmcaitm rajmcaitm mentioned this pull request Sep 20, 2024
Open
@gdemarchi-newf gdemarchi-newf mentioned this pull request Sep 20, 2024
Open
@lakshamanr lakshamanr mentioned this pull request Sep 21, 2024
Closed
@kidwen kidwen mentioned this pull request Sep 21, 2024
Closed
@lakshamanr lakshamanr mentioned this pull request Sep 21, 2024
Closed
@bdr0id bdr0id mentioned this pull request Sep 23, 2024
Closed
This was referenced Sep 23, 2024
Closed
Closed
@V-Paranoiaque V-Paranoiaque mentioned this pull request Sep 24, 2024
Closed
This was referenced Sep 24, 2024
Closed
Closed
Closed
Closed
This was referenced Sep 24, 2024
Closed
Closed
Closed
Closed
This was referenced Sep 24, 2024
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Sep 25, 2024
Closed
Closed
Closed
Closed
Closed
@angular-automatic-lock-bot
Copy link

angular-automatic-lock-bot bot commented Sep 29, 2024

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jelbourn jelbourn jelbourn approved these changes

@thePunderWoman thePunderWoman thePunderWoman approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: upgrade Issues related to AngularJS → Angular upgrade APIs target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

4 participants

@bjarkler @alxhub @jelbourn @thePunderWoman