gpt4 book ai didi

angularjs - CSP 2.0(不安全内联)和 Angular

转载 作者:行者123 更新时间:2023-12-02 01:33:22 24 4
gpt4 key购买 nike

如果我在我的 Angular 应用程序上实现 CSP 2.0,并禁止来自 script-src 的 unsafe-inline,ng-click 和其他 Angular 事件会起作用吗?我猜 CSP 会阻止所有这些。

最佳答案

AngularJS 和 Content-Security-Policy 在 ngCsp 下有详细记录指示。以下是 unsafe 规则如何影响 Angular:

  • unsafe-eval: this rule forbids apps to use eval or Function(string) generated functions (among other things). Angular makes use of this in the $parse service to provide a 30% increase in the speed of evaluating Angular expressions.

  • unsafe-inline: this rule forbids apps from inject custom styles into the document. Angular makes use of this to include some CSS rules (e.g. ngCloak and ngHide). To make these directives work when a CSP rule is blocking inline styles, you must link to the angular-csp.css in your HTML manually.

特别是ngClick使用 AngularJS 表达式...

<ANY
ng-click="expression">
...
</ANY>

...和 ​​AngularJS expression不需要评估。

Angular does not use JavaScript's eval() to evaluate expressions. Instead Angular's $parse service processes these expressions.

关于angularjs - CSP 2.0(不安全内联)和 Angular,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32836621/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com