Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Angular2 Throws Security Exceptions under the CSP (Content Security Policy)

See original GitHub issue

I build and evangelize building mobile Chrome Apps using CCA. I do this extensively with Angular 1.x today but right now Angular 2 causes me some problems. It does not seem to support a “CSP mode” like angular 1x.

This code runs just fine when I include the library locally, but it throws a security error when I put any variables into my templates.

function AppComponent() {
  this.name = "testing";
}

AppComponent.annotations = [
  new angular.Component({
    selector: 'my-app'
  }),
  new angular.View({
    template: '<h1>My first Angular 2 App</h1>'
  })
];

document.addEventListener('DOMContentLoaded', function() {
  angular.bootstrap(AppComponent);
});

This works just fine under the CSP, but when I add the variable to the template:

function AppComponent() {
  this.name = "testing";
}

AppComponent.annotations = [
  new angular.Component({
    selector: 'my-app'
  }),
  new angular.View({
    template: '<h1>My first Angular 2 {{name}} App</h1>'
  })
];

document.addEventListener('DOMContentLoaded', function() {
  angular.bootstrap(AppComponent);
});

I get the following error:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Issue Analytics

State:
Created 8 years ago
Comments:22 (5 by maintainers)

Top GitHub Comments

22reactions

natizlpcommented, Apr 20, 2016

Can anyone provide a working example for working in CSP mode? @IgorMinar / @vsavkin / @wardbell - Would you care to comment?

9reactions

golearycommented, Jul 27, 2016

@hjliang while your example does work, I’ve been unable to get my much more complex app to run in a CSP environment. Help would be appreciated @IgorMinar @mhevery @vsavkin @wardbell

Top Results From Across the Web

Make Angular working with restrictive Content Security Policy ...

I've found a way to have restrictive CSP on my production environment while ... <meta http-equiv="Content-Security-Policy" content="default-src 'none'; ...

Defend Angular Applications with a Content Security Policy

Content Security Policy is a browser feature for protecting against cross-site scripting attacks (XSS), one of the most common attack vectors on ......

Angular Content Security Policy Guide - StackHawk

Content Security Policy (CSP) is an extra layer of security against attacks such as cross-site scripting (XSS) and data injection.

CONTENT SECURITY POLICY BEST PRACTICES - NCC Group

This policy permits the client browser to load scripts from script.csp.com and all other resources from the host domain. There are a two...

Security - Angular

Content Security Policy (CSP) is a defense-in-depth technique to prevent XSS. To enable CSP, configure your web server to return an appropriate Content-Security...