fix(compiler): promote constants in templates to Trusted Types #39211
Conversation
bjarkler
force-pushed
the
trusted-types-constants
branch
2 times, most recently
from
08a7a1f
to
6e2e964
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 11, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
14 tasks
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 11, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
23 tasks
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 11, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 12, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 13, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 13, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 13, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 14, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
IgorMinar
reviewed
Oct 14, 2020
this change lgtm with just one nit about the naming of the private types.
the CI is happy as well. I kicked of g3 presubmit just so that we have a g3 signal as well, but I'm expecting that g3 will be happy as well.
The @types/trusted-types type definitions are currently imported in types.d.ts, which causes them to eventually be imported in core.d.ts. This forces anyone compiling against @angular/core to provide the @types/trusted-types package in their compilation unit, which we don't want. To address this, get rid of the @types/trusted-types and instead import a minimal version of the Trusted Types type definitions directly into Angular's codebase. Update the existing references to Trusted Types to point to the new definitions.
Angular treats constant values of attributes and properties in templates as secure. This means that these values are not sanitized, and are instead passed directly to the corresponding setAttribute or setProperty function. In cases where the given attribute or property is security-sensitive, this causes a Trusted Types violation. To address this, functions for promoting constant strings to each of the three Trusted Types are introduced to Angular's private codegen API. The compiler is updated to wrap constant strings with calls to these functions as appropriate when constructing the `consts` array. This is only done for security-sensitive attributes and properties, as classified by Angular's dom_security_schema.
IgorMinar
approved these changes
Oct 14, 2020
LGTM assuming that CI passes.
Reviewed-for: global-approvers
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 14, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 14, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 15, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
14 tasks
atscott
added a commit
that referenced
this issue
Oct 15, 2020
Angular treats constant values of attributes and properties in templates as secure. This means that these values are not sanitized, and are instead passed directly to the corresponding setAttribute or setProperty function. In cases where the given attribute or property is security-sensitive, this causes a Trusted Types violation. To address this, functions for promoting constant strings to each of the three Trusted Types are introduced to Angular's private codegen API. The compiler is updated to wrap constant strings with calls to these functions as appropriate when constructing the `consts` array. This is only done for security-sensitive attributes and properties, as classified by Angular's dom_security_schema. PR Close #39211
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 15, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 15, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 16, 2020
When an attribute has a constant value that is marked for translation (i18n-attrName), a special variable is created in the `consts` array of the compiled template. Since this is not a constant, it is not promoted to a Trusted Type by angular#39211, and can thus cause Trusted Types violations. The same applies to constant attributes parsed out of (potentially translated) i18n ICU messages. Use the newly introduced `SanitizerFn` to promote these constants directly to appropriate Trusted Types. Tree shakability is not a concern here since Trusted Types are already required for i18n to work (angular#39208).
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 28, 2020
Angular-internal type definitions for Trusted Types were added in angular#39211. When compiled using the Closure compiler with certain optimization flags, identifiers from these type definitions (such as createPolicy) are currently uglified and renamed to shorter strings. This causes Angular applications compiled in this way to fail to create a Trusted Types policy, and fall bock to using strings. To fix this, mark the internal Trusted Types definitions as declarations using the "declare" keyword.
14 tasks
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 28, 2020
Angular-internal type definitions for Trusted Types were added in angular#39211. When compiled using the Closure compiler with certain optimization flags, identifiers from these type definitions (such as createPolicy) are currently uglified and renamed to shorter strings. This causes Angular applications compiled in this way to fail to create a Trusted Types policy, and fall bock to using strings. To fix this, mark the internal Trusted Types definitions as declarations using the "declare" keyword.
bjarkler
added a commit
to bjarkler/angular
that referenced
this issue
Oct 29, 2020
Angular-internal type definitions for Trusted Types were added in angular#39211. When compiled using the Closure compiler with certain optimization flags, identifiers from these type definitions (such as createPolicy) are currently uglified and renamed to shorter strings. This causes Angular applications compiled in this way to fail to create a Trusted Types policy, and fall bock to using strings. To fix this, mark the internal Trusted Types definitions as declarations using the "declare" keyword. Also convert types to interfaces, for the reasons explained in https://ncjamieson.com/prefer-interfaces/
josephperrott
added a commit
that referenced
this issue
Oct 29, 2020
Angular-internal type definitions for Trusted Types were added in #39211. When compiled using the Closure compiler with certain optimization flags, identifiers from these type definitions (such as createPolicy) are currently uglified and renamed to shorter strings. This causes Angular applications compiled in this way to fail to create a Trusted Types policy, and fall bock to using strings. To fix this, mark the internal Trusted Types definitions as declarations using the "declare" keyword. Also convert types to interfaces, for the reasons explained in https://ncjamieson.com/prefer-interfaces/ PR Close #39471
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Angular treats constant values of attributes and properties in templates
as secure. This means that these values are not sanitized, and are
instead passed directly to the corresponding setAttribute or setProperty
function. In cases where the given attribute or property is
security-sensitive, this causes a Trusted Types violation.
To address this, functions for promoting constant strings to each of the
three Trusted Types are introduced to Angular's private codegen API. The
compiler is updated to wrap constant strings with calls to these
functions as appropriate when constructing the
constsarray. This isonly done for security-sensitive attributes and properties, as
classified by Angular's dom_security_schema.
This is based on #39207. See the individual commits for more details.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
Does this PR introduce a breaking change?
Other information
This is part of an ongoing effort to add support for Trusted Types to Angular.
The text was updated successfully, but these errors were encountered: