fix(core): hardening attribute and property binding rules for <iframe> elements #47964
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AndrewKushnir
added
state: WIP
area: core
angular-robot
bot
added
the
detected: breaking change
AndrewKushnir
force-pushed
the
iframe_bindings
branch
2 times, most recently
from
6ee1b09
to
c33d991
Compare
AndrewKushnir
commented
Nov 4, 2022
|
We do have a legit CI failure: https://app.circleci.com/pipelines/github/angular/angular/52802/workflows/69ac3544-43a7-4f3f-b24e-0dca7d5b8897/jobs/1250755 |
AndrewKushnir
force-pushed
the
iframe_bindings
branch
2 times, most recently
from
39d0d48
to
0531f7a
Compare
AndrewKushnir
changed the title
AndrewKushnir
force-pushed
the
iframe_bindings
branch
4 times, most recently
from
29daef7
to
e16ce25
Compare
AndrewKushnir
requested review from
alxhub,
pkozlowski-opensource and
bjarkler
AndrewKushnir
added
action: review
AndrewKushnir
force-pushed
the
iframe_bindings
branch
from
e16ce25
to
7649847
Compare
AndrewKushnir
force-pushed
the
iframe_bindings
branch
3 times, most recently
from
9d46d44
to
c44d7ad
Compare
…> elements This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
AndrewKushnir
force-pushed
the
iframe_bindings
branch
from
c44d7ad
to
e1b9119
Compare
alxhub
approved these changes
Nov 9, 2022
alxhub
added
action: merge
|
This PR was merged into the repository by commit 2d8d562. |
alxhub
pushed a commit
that referenced
this pull request
Nov 9, 2022
…> elements (#47964) This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close #47964
AndrewKushnir
added a commit
to AndrewKushnir/angular
that referenced
this pull request
Nov 11, 2022
…> elements (angular#47964) This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close angular#47964
AndrewKushnir
added a commit
to AndrewKushnir/angular
that referenced
this pull request
Nov 11, 2022
…> elements (angular#47964) This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close angular#47964
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
trekladyone
pushed a commit
to trekladyone/angular
that referenced
this pull request
Feb 1, 2023
…> elements (angular#47964) This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close angular#47964
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>.
If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located.
BREAKING CHANGE:
Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
PR Type
What kind of change does this PR introduce?
Does this PR introduce a breaking change?