From 2b87c814ab70eaaff6359ce1a118f348c8bd2197 Mon Sep 17 00:00:00 2001 From: Igor Minar Date: Fri, 27 Apr 2012 15:20:54 -0700 Subject: feat($parse): CSP compatibility CSP (content security policy) forbids apps to use eval or Function(string) generated functions (among other things). For us to be compatible, we just need to implement the "getterFn" in $parse without violating any of these restrictions. We currently use Function(string) generated functions as a speed optimization. With this change, it will be possible to opt into the CSP compatible mode using the ngCsp directive. When this mode is on Angular will evaluate all expressions up to 30% slower than in non-CSP mode, but no security violations will be raised. In order to use this feature put ngCsp directive on the root element of the application. For example: ... ... Closes #893 --- src/ng/directive/ngCsp.js | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 src/ng/directive/ngCsp.js (limited to 'src/ng/directive/ngCsp.js') diff --git a/src/ng/directive/ngCsp.js b/src/ng/directive/ngCsp.js new file mode 100644 index 00000000..d4a3a45d --- /dev/null +++ b/src/ng/directive/ngCsp.js @@ -0,0 +1,26 @@ +'use strict'; + +/** + * TODO(i): this directive is not publicly documented until we know for sure that CSP can't be + * safely feature-detected. + * + * @name angular.module.ng.$compileProvider.directive.ngCsp + * @priority 1000 + * + * @description + * Enables CSP (Content Security Protection) support. This directive should be used on the `` + * element before any kind of interpolation or expression is processed. + * + * If enabled the performance of $parse will suffer. + * + * @element html + */ + +var ngCspDirective = ['$sniffer', function($sniffer) { + return { + priority: 1000, + compile: function() { + $sniffer.csp = true; + } + }; +}]; -- cgit v1.2.3