docs: update CSP section to mention Angular's minimum requirements

Closes angular/angular-cli#21711. Refs angular#6361, angular#37631.
dgp1130 · Sep 24, 2021 · 081d108 · 081d108
1 parent 49d29e1
commit 081d108
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/aio/content/guide/security.md b/aio/content/guide/security.md
@@ -167,10 +167,25 @@ Angular to allow binding into `<iframe src>`:
 
 Content Security Policy (CSP) is a defense-in-depth
 technique to prevent XSS. To enable CSP, configure your web server to return an appropriate
-`Content-Security-Policy` HTTP header. Read more about content security policy at the 
+`Content-Security-Policy` HTTP header. Read more about content security policy at the
 [Web Fundamentals guide](https://developers.google.com/web/fundamentals/security/csp) on the
 Google Developers website.
 
+The minimal policy required for brand new Angular is:
+
+```
+default-src 'self'; style-src 'self' 'unsafe-inline';
+```
+
+* The `default-src 'self';` section allows the page to load all its required resources from the same
+  origin.
+* `style-src 'self' 'unsafe-inline';` allows the page to load global styles from the same origin
+  (`'self'`) and enables components to load their styles (`'unsafe-inline'` - see
+  [`angular/angular#6361`](https://github.com/angular/angular/issues/6361)).
+
+As projects grow and evolve, it is often necessary to expand the policy to enable other features,
+however this is all that is required by Angular for a new app.
+
 {@a trusted-types}
 ### Enforcing Trusted Types