@@ -9,6 +9,27 @@ This document explains some of AngularJS's security features and best practices
99keep in mind as you build your application.
1010
1111
12+ ## Reporting a security issue
13+
14+ Email us at [
[email protected] ](mailto:
[email protected] ) to report any potential
15+ security issues in AngularJS.
16+
17+ Please keep in mind the points below about Angular's expression language.
18+
19+
20+ ## Use the latest AngularJS possible
21+
22+ Like any software library, it is critical to keep AngularJS up to date. Please track the
23+ [CHANGELOG](https://github.com/angular/angular.js/blob/master/CHANGELOG.md) and make sure you are aware
24+ of upcoming security patches and other updates.
25+
26+ Be ready to update rapidly when new security-centric patches are available.
27+
28+ Those that stray from Angular standards (such as modifying Angular's core) may have difficulty updating,
29+ so keeping to AngularJS standards is not just a functionality issue, it's also critical in order to
30+ facilitate rapid security updates.
31+
32+
1233## Expression Sandboxing
1334
1435AngularJS's expressions are sandboxed not for security reasons, but instead to maintain a proper
@@ -25,36 +46,80 @@ But if an attacker can change arbitrary HTML templates, there's nothing stopping
2546<script>somethingEvil();</script>
2647```
2748
28- It's better to design your application in such a way that users cannot change client-side templates.
49+ **It's better to design your application in such a way that users cannot change client-side templates.**
50+
2951For instance:
3052
3153* Do not mix client and server templates
3254* Do not use user input to generate templates dynamically
3355* Do not run user input through `$scope.$eval`
3456* Consider using {@link ng.directive:ngCsp CSP} (but don't rely only on CSP)
3557
36- ## Mixing client-side and server-side templates
58+
59+ ### Mixing client-side and server-side templates
3760
3861In general, we recommend against this because it can create unintended XSS vectors.
3962
4063However, it's ok to mix server-side templating in the bootstrap template (`index.html`) as long
4164as user input cannot be used on the server to output html that would then be processed by Angular
4265in a way that would allow for arbitrary code execution.
4366
44- For instance, you can use server-side templating to dynamically generate CSS, URLs, etc, but not
45- for generating templates that are bootstrapped/compiled by Angular.
67+ ** For instance, you can use server-side templating to dynamically generate CSS, URLs, etc, but not
68+ for generating templates that are bootstrapped/compiled by Angular.**
4669
4770
48- ## Reporting a security issue
71+ ## HTTP Requests
4972
50- Email us at [
[email protected] ](mailto:
[email protected] ) to report any potential
51- security issues in AngularJS.
73+ Whenever your application makes requests to a server there are potential security issues that need
74+ to be blocked. Both server and the client must cooperate in order to eliminate these threats.
75+ Angular comes pre-configured with strategies that address these issues, but for this to work backend
76+ server cooperation is required.
77+
78+
79+ ### Cross Site Request Forgery (XSRF/CSRF)
80+
81+ Protection from XSRF is provided by using the double-submit cookie defense pattern.
82+ For more information please visit {@link $http#cross-site-request-forgery-xsrf-protection XSRF protection}.
83+
84+ ### JSON Hijacking Protection
85+
86+ Protection from JSON Hijacking is provided if the server prefixes all JSON requests with following string `")]}',\n"`.
87+ Angular will automatically strip the prefix before processing it as JSON.
88+ For more information please visit {@link $http#json-vulnerability-protection JSON Hijacking Protection}.
89+
90+
91+ ## Strict Contextual Escaping
92+
93+ Strict Contextual Escaping (SCE) is a mode in which AngularJS requires bindings in certain contexts to require
94+ a value that is marked as safe to use for that context.
95+
96+ This mode is implemented by the {@link $sce} service and various core directives.
97+
98+ One example of such a context is rendering arbitrary content via the {@link ngBindHtml} directive. If the content is
99+ provided by a user there is a chance of Cross Site Scripting (XSS) attacks. The {@link ngBindHtml} directive will not
100+ render content that is not marked as safe by {@link $sce}. The {@link ngSanitize} module can be used to clean such
101+ user provided content and mark the content as safe.
102+
103+ **Be aware that marking untrusted data as safe via calls to {@link $sce#trustAsHtml `$sce.trustAsHtml`}, etc is
104+ dangerous and will lead to Cross Site Scripting exploits.**
105+
106+ For more information please visit {@link $sce} and {@link ngSanitize.$sanitize}.
107+
108+ ## Using Local Caches
109+
110+ There are various places that the browser can store (or cache) data. Within Angular there are objects created by
111+ the {@link $cacheFactory}. These objects, such as {@link $templateCache} are used to store and retrieve data,
112+ primarily used by {@link $http} and the {@link script} directive to cache templates and other data.
113+
114+ Similarly the browser itself offers `localStorage` and `sessionStorage` objects for caching data.
115+
116+ **Attackers with local access can retrieve sensitive data from this cache even when users are not authenticated.**
52117
53- Please keep in mind the above points about Angular's expression language.
118+ For instance in a long running Single Page Application (SPA), one user may "log out", but then another user
119+ may access the application without refreshing, in which case all the cached data is still available.
54120
121+ For more information please visit [Web Storage Security](https://www.whitehatsec.com/blog/web-storage-security/).
55122
56123## See also
57124
58125* {@link ng.directive:ngCsp Content Security Policy}
59- * {@link ng.$sce Strict Contextual Escaping}
60- * {@link ngSanitize.$sanitize $sanitize}
0 commit comments