I'm investigating if there is a "safe"/sensible way to load third party components into an angular 2+ app in a way that protects the host app from typical security vulnerabilities or any it opens up in doing so. Reading pages like:
- https://angular.io/docs/ts/latest/guide/security.html
- https://netbasal.com/angular-2-security-the-domsanitizer-service-2202c83bd90
- https://www.troyhunt.com/introducing-angularjs-security/ (ng1) and soon on It seems that once external code gets loaded there's really nothing that can be done preventing it doing whatever it wants.
I'm no expert so I may be asking the wrong question or looking at the wrong things so here's the situation: There's an app A and using a "market place" style setup e.g. Play store or Apple's App store type thing,
- A third party can submit an app B that is effectively an ng2 module
- App A's servers stores and hosts the angular component for app B i.e. there's no need for B to load any external files.
- A user of app A can choose to "install" app B after which app A will load app B for the user (some kind of manual review done on app B).
Ideally what I've been looking for is a way to lock down app B so that it can't just pull in arbitrary code into app A and possibly isolate it so that it can only access a subset/whitelisted set of the angular APIs and only a prescribed API from app A can be injected into B.
Is there a way to achieve this in angular 2+?
Am I searching for the right things in terms of ensuring the continued integrity of app A and protecting the user?
If it's not possible to isolate app B, what aspects of security should I be researching/considering? This idea is in its infancy at the moment so nothing's set in stone but some method is needed to support hosting third party code.
(Side note: Stackoverflow thinks the questions appears subjective and I don't understand why so rather than down voting, I'd learn more from comments saying why this is subjective.)
