New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for __webpack_nonce__ to inline styles CSP #12378
Comments
Note that this is something that Angular itself would need to support; as it (and not webpack) adds the styles at runtime. |
Also, to properly use a nonce, it should be randomly generated by the server upon each request to prevent it from being easily guessed; necessitating a server with HTML templating. And there would need to be additional Angular APIs to support this and allow Angular to be aware of the current nonce. |
If you are interested in pursuing this, can you open an issue on angular/angular regarding the ability to add a customizable nonce attribute to injected style elements? |
Thanks clydin have opened a feature request in the angular repo. |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Bug Report or Feature Request (mark with an
x
)Command (mark with an
x
)Versions
node: 10.8.0
npm: 6.3.0
ng: 6.2.3
os: Windows 10
Desired functionality
I would like the ability to define a nonce generated on the server that angular will add to the inline styles so that I can comply with business requirements not to use 'unsafe-inline' in CSP.
Mention any other details that might be useful
https://webpack.js.org/guides/csp/
webpack-contrib/style-loader#319
Adding webpack_nonce to the entry file did work for injected script tags but not the injected style tags used for the component css.
This is more of a support question but worth considering when documenting. To use this feature properly we should cryptographically generate the nonce on the server when serving the angular app to the client and use in entry file. Not sure the intended webpack way to do this but tried this suggestion without success styled-components/styled-components#887 (comment) .
The text was updated successfully, but these errors were encountered: