New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a customizable nonce attribute to injected style elements - CSP #26152
Comments
Note webpack already supports this: Related: |
Any update on this? For a strict CSP this is essential. |
This comment has been minimized.
This comment has been minimized.
Very keen to see this implemented. Is there a workaround at the moment since webpack already supports the nonce approach? |
Any update on this? I can't see how to enable a strict CSP with Angular at the moment. Will Angular 9 & Ivy / Bazel allow it? Coming from angular/angular-cli#12378. @clydin , maybe you have a take on this? To clarify: I still need "style-src" to include 'unsafe-inline' because styles are injected it seems. I don't know the internals, but that's what I see. And also "'self'" for scripts which is not recommended by Google's CSP inspector |
I'm having the same issue and can't seem to find a workaround (eg. by using This is the offending code in _addStylesToHost(styles, host) {
styles.forEach((/**
* @param {?} style
* @return {?}
*/
(style) => {
/** @type {?} */
const styleEl = this._doc.createElement('style');
styleEl.textContent = style;
this._styleNodes.add(host.appendChild(styleEl));
}));
} |
This comment has been minimized.
This comment has been minimized.
Still no progress? Angular is one of the leading Javascript frameworks, it should not hinder developers to use high security settings. |
Hello, what is the plan for this? Will this ever be addressed? |
For what I require I can't have inline style or javascript. Was really hoping Angular could be my go to, as I like Angular's templating and ease of use to get things done.. I guess I must use the manual approach. |
Out of sheer frustration that this issue hasn't been resolved yet, I've created a script that uses the First, the script queries the currentScript. This should be at the beginning of the script because later the value will be null (in FireFox) https://stackoverflow.com/questions/38769103/document-currentscript-is-null Next, for each
|
I proposed solving this and a set of other CSP issues to the team this month. The proposal wasn't prioritized, but I believe that the plan is to prioritize each of the related issues (this one included). Discussions between the Angular team and the Google Security team have already started. That said, I can't promise any kind of ETA. |
Any updates on this one? |
Seems this is more or less prioritized low |
Since our CSP also doesn't allow inline CSS, I currently disabled the inline CSS by putting the following in the production configuration of angular.json:
|
Any chance to put higher priority on it? Allowing inline scripts is not best practice from security perspective. |
Or at least providing context from a security perspective why it isn't a priority to the community. |
@A-Fitz-Nelnet yes, but does not seem to work well with inline critical option and CSP with only nonce and no unsafe-inline CSS. |
I've looked into many issues and seen that workaround of adding the However, we need to know the official solution for such case as it is hard to find |
I'm submitting a...
Current behavior
No ability to define nonce attribute on style tag.
Expected behavior
I would like the ability to define a nonce generated on the server that angular will add to the inline styles.
What is the motivation / use case for changing the behavior?
So that I can comply with business requirements not to use 'unsafe-inline' in CSP.
Environment
The text was updated successfully, but these errors were encountered: