-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update docs to reflect support status of trusted types #41637
Comments
Trusted types API is still in it's draft phase and are not supported in a number of browsers, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types. Webpack 5, which the Angular CLI uses under the hood as bundler see webpack/webpack#9856 (comment). I'll this up for discussion with the rest of the team to decide on a way forward. |
@alan-agius4 Thanks for taking this up for discussion. |
Had a chat with @mgechev, and indeed we should remove trusted types from being recommended in angular.io until this issue is resolved upstream. |
@aikidave the context here is that one of our dependencies (Webpack) has an issue with supported trusted types that makes them difficult/impossible to use for some use-cases, even though everything seemed to be squared away on the Angular side. We probably need to update the docs to reflect this newly discovered limitation. |
I will have a PR that removes the content about Trusted Types ready in a day or so. |
We have removed Trusted Types from our documentation until the product team confirms it works as intended with WebPack. See #41754. |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
馃悶 bug report
Affected Package
Angular-CLI (webpack) and CSP trusted types integration.
Is this a regression?
Not that I can determine. I started testing the issue with v9.1.x; It was also present there.
Description
For security reasons it is important to have proper Content-Security-Policy (CSP) headers present. The Angular documentation suggests the use of trusted typed. The suggested configuration works well as long as no lazy loaded modules are used.
Once lazy loaded modules are used and loading of one of the modules is triggered, the modules load violates the CSP rules. Suggested CSP settings should also work with lazy loading or a secure alternative would be helpfull.
馃敩 Minimal Reproduction
ng new --routing --strict --style scss csp-lazy-loading
ng g m lazymod --routing --route lazymod --module app.module
angular.json
(inserve.options
):"headers" : {"Content-Security-Policy": "trusted-types angular; require-trusted-types-for 'script';"}
result of steps above is available in https://github.com/bbreijer/ng11-csp-lazy-loading
ng serve --prod
馃敟 Exception or Error
In
runtime.js
In
main.js
馃實 Your Environment
Angular Version:
Anything else relevant?
Documentation:
Related issues:
Reproduced in Chrome 89.0.
The text was updated successfully, but these errors were encountered: