Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for __webpack_nonce__ to inline styles CSP #12378

Closed
mcm-ham opened this issue Sep 27, 2018 · 5 comments
Closed

Add support for __webpack_nonce__ to inline styles CSP #12378

mcm-ham opened this issue Sep 27, 2018 · 5 comments
Labels
feature Issue that requests a new feature

Comments

@mcm-ham
Copy link

mcm-ham commented Sep 27, 2018
edited

Bug Report or Feature Request (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x] feature request

Command (mark with an x)

- [ ] new
- [x] build
- [ ] serve
- [ ] test
- [ ] e2e
- [ ] generate
- [ ] add
- [ ] update
- [ ] lint
- [ ] xi18n
- [ ] run
- [ ] config
- [ ] help
- [ ] version
- [ ] doc

Versions

node: 10.8.0
npm: 6.3.0
ng: 6.2.3
os: Windows 10

Desired functionality

I would like the ability to define a nonce generated on the server that angular will add to the inline styles so that I can comply with business requirements not to use 'unsafe-inline' in CSP.

Mention any other details that might be useful

https://webpack.js.org/guides/csp/
webpack-contrib/style-loader#319

Adding webpack_nonce to the entry file did work for injected script tags but not the injected style tags used for the component css.

This is more of a support question but worth considering when documenting. To use this feature properly we should cryptographically generate the nonce on the server when serving the angular app to the client and use in entry file. Not sure the intended webpack way to do this but tried this suggestion without success styled-components/styled-components#887 (comment) .
@mcm-ham mcm-ham mentioned this issue Sep 27, 2018
Closed
@ngbot ngbot bot added this to the Backlog milestone Sep 27, 2018
@clydin
Copy link
Member

clydin commented Sep 27, 2018

Note that this is something that Angular itself would need to support; as it (and not webpack) adds the styles at runtime.

@clydin
Copy link
Member

clydin commented Sep 27, 2018
edited

Also, to properly use a nonce, it should be randomly generated by the server upon each request to prevent it from being easily guessed; necessitating a server with HTML templating. And there would need to be additional Angular APIs to support this and allow Angular to be aware of the current nonce.

@ngbot ngbot bot removed this from the Backlog milestone Sep 27, 2018
@clydin
Copy link
Member

clydin commented Sep 27, 2018

If you are interested in pursuing this, can you open an issue on angular/angular regarding the ability to add a customizable nonce attribute to injected style elements?

@clydin clydin closed this as completed Sep 27, 2018
@mcm-ham mcm-ham mentioned this issue Sep 28, 2018
Open
@mcm-ham
Copy link
Author

mcm-ham commented Sep 28, 2018

Thanks clydin have opened a feature request in the angular repo.

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature Issue that requests a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcm-ham @alan-agius4 @clydin