mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
2d8d562604
This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close #47964
38 lines
1.2 KiB
JSON
38 lines
1.2 KiB
JSON
/**
|
|
* The central exemption list of existing tsec violations. Modifications to
|
|
* this list should be carefully reviewed by a security expert.
|
|
*/
|
|
{
|
|
"ban-trustedtypes-createpolicy": [
|
|
"core/src/util/security/trusted_types_bypass.ts",
|
|
"core/src/util/security/trusted_types.ts",
|
|
"compiler/src/output/output_jit_trusted_types.ts"
|
|
],
|
|
"ban-element-innerhtml-assignments": [
|
|
"core/src/sanitization/inert_body.ts"
|
|
],
|
|
"ban-element-setattribute": [
|
|
"platform-browser/src/browser/meta.ts"
|
|
],
|
|
"ban-domparser-parsefromstring": [
|
|
"core/src/sanitization/inert_body.ts"
|
|
],
|
|
"ban-script-content-assignments": [
|
|
"platform-server/src/transfer_state.ts"
|
|
],
|
|
"ban-function-calls": [
|
|
"core/src/interface/type.ts",
|
|
"core/src/reflection/reflection_capabilities.ts",
|
|
"core/src/util/security/trusted_types.ts",
|
|
"core/src/render3/instructions/listener.ts",
|
|
"compiler/src/core.ts",
|
|
"compiler/src/output/output_jit_trusted_types.ts",
|
|
"platform-server/src/server_renderer.ts"
|
|
],
|
|
"ban-window-stringfunctiondef": [
|
|
"core/src/render3/util/misc_utils.ts"
|
|
],
|
|
"ban-iframe-srcdoc-assignments": [
|
|
"core/src/sanitization/iframe_attrs_validation.ts"
|
|
]
|
|
}
|