docs: update CSP section to mention Angular's minimum requirements

Closes angular/angular-cli#21711. Refs angular#6361, angular#37631.
dgp1130 · Sep 24, 2021 · 2f110af · 2f110af
1 parent 49d29e1
commit 2f110af
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/aio/content/guide/security.md b/aio/content/guide/security.md
@@ -167,10 +167,23 @@ Angular to allow binding into `<iframe src>`:
 
 Content Security Policy (CSP) is a defense-in-depth
 technique to prevent XSS. To enable CSP, configure your web server to return an appropriate
-`Content-Security-Policy` HTTP header. Read more about content security policy at the 
+`Content-Security-Policy` HTTP header. Read more about content security policy at the
 [Web Fundamentals guide](https://developers.google.com/web/fundamentals/security/csp) on the
 Google Developers website.
 
+The minimal policy required for Angular is:
+
+```
+default-src 'self'; style-src 'unsafe-inline';
+```
+
+The `default-src 'self';` section allows Angular to load all its required resources from the same
+origin. `style-src 'unsafe-inline';` is necessary for Angular components to load their styles (see
+[`angular/angular#6361`](https://github.com/angular/angular/issues/6361)).
+
+As projects grow and evolve, it is often necessary to expand the policy to enable other features,
+however this is all that is required by Angular.
+
 {@a trusted-types}
 ### Enforcing Trusted Types