Universal: proposal: add 'nonce' attribute to transfer-state script

Created on 31 Aug 2017 · 8Comments · Source: angular/universal

I'm submitting a ...
[X ] feature request
What modules are related to this Issue?
[X ] express-engine
Do you want to request a feature or report a bug?

I would like to suggest a feature

What is the current behavior?

I have a route with a dynamic param (like http://localhost:8000/route/:id).
For each :id I perform an http query on the server side, set the result in transfer-state and then on the client side get the value from transfer-state.

This will generate in the html output a script window['TRANSFER_STATE'] which gonna be dynamic respectively which gonna change according the requested data.

Therefore the problem is the following: it's not possible to define a proper Content-Security-Policy because the hash value of the script gonna change dynamically too respectively it won't be possible to add a 'sha256-..... value for the transfer-state script since it gonna change.

To solve this, I suggest to set an attribute nonce to the transfer-state script to have then the possibility to reference this value in the content security policy.

This could be solved by adding a single line in server-transfer-state.ts:

renderer.setAttribute(script, 'nonce', 'my-transfer-state');

Which then let user setting a policy like:

<meta http-equiv="Content-Security-Policy" content="script-src: 'nonce-my-transfer-state'"/>

Agree or is that a bad idea and dangerous?

Please tell us about your environment:
Angular version: 4.3.3
Platform: NodeJs / Express

Source

peterpeterparker

👍2

Most helpful comment

so transfer state will use a script tag to provide json rather than js.

<--             \/ notice the type          !-->
<script type="application/json">
{
  your: 'data'
}
</script>

since the type isn't js the browser won't parse it as javascript and the framework will convert it's content into json via .textContent. Since this is a non-JavaScript type CSP won't restrict it so this is much more safe. I'll close this since the new api has been merged

PatrickJS on 22 Sep 2017

👍2

All 8 comments

nice, yeah that sounds like a good idea.
cc @vikerman

PatrickJS on 4 Sep 2017

👍1

Will keep this in mind when implementing once we've decided on an API https://github.com/angular/universal/issues/791

Toxicable on 4 Sep 2017

👍1

cool! if I've got time this week I could then try to submit a PR to universal-starter for the time being before the API

peterpeterparker on 4 Sep 2017

PR for universal-starter created ;)

peterpeterparker on 6 Sep 2017

Will take this into consideration when designing the API for the state transfer. Adding a fixed nonce completely defeats the CSP mechanism - And at that point CSP might as well be turned off.

vikerman on 7 Sep 2017

👍1

obsolete via https://github.com/angular/angular/commit/cfd9ca0d6f453decc154cc640351f5af67685510

Toxicable on 22 Sep 2017

so transfer state will use a script tag to provide json rather than js.

<--             \/ notice the type          !-->
<script type="application/json">
{
  your: 'data'
}
</script>

PatrickJS on 22 Sep 2017

👍2

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{_This action has been performed automatically by a bot._}

angular-automatic-lock-bot[bot] on 4 Sep 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Response hangs on some routes when page reload

daright · 6Comments

SVG in template causes server side error

dottodot · 6Comments

Error: You must pass in a NgModule or NgModuleFactory to be bootstrapped

dmitriytretyakov · 5Comments

prototype hydration as alternative to server/client buffering

jeffwhelpley · 6Comments

upgrade to beta 15

jeffwhelpley · 4Comments