Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
docs(security): add useful guidance to the CSP section of the guide
See original GitHub issueπ Docs or angular.io bug report
Description
In the Security Guide for Angular, the section on Content Security Policy (CSP) provides no useful guidance or information on the specific requirements, impediments, or issues related to using a CSP with an Angular application.
π¬ Minimal Reproduction
Whatβs the affected URL?**
https://angular.io/guide/security#content-security-policy
Reproduction Steps**
This is the entire guide for using Angular with a Content Security Policy (CSP):
Content security policy
Content Security Policy (CSP) is a defense-in-depth technique to prevent XSS. To enable CSP, configure your web server to return an appropriate Content-Security-Policy HTTP header. Read more about content security policy at An Introduction to Content Security Policy on the HTML5Rocks website.
Expected vs Actual Behavior**
We should clearly state some of the known limitations and configurations for using Angular with a CSP.
Here are some related, known issues that have been around for 1-4 years now
[innerHTML] triggers CSP alert/report- Inline <style> elements violate style-src Content Security Policy
- feat: add a customizable nonce attribute for injected style elements
- Empty style tag generated when one or more components donβt have styles
Suggested Steps
- We should clearly state that allowing
'unsafe-inline'instyle-srcis required for Angular applications. - We should clearly state that
'self'is required forstyle-srcandscript-srcin Angular applications. - We should recommend
upgrade-insecure-requests. - We should document that
connect-srcmust be configured with'self'and any other font, script, or style sources that are retrieved by@angular/service-worker.
If there are some little-known work arounds for any of these issues, they should be documented in this guide.
π Your Environment
Browser info
Chrome 85
Anything else relevant?
WebPageTest.org now gives web sites/apps a security grade based on a scan by Snyk.
https://angular.io/guide/security#content-security-policy gets the following score
Issue Analytics
- State:
- Created 3 years ago
- Reactions:13
- Comments:13 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Some Google Security Engineers are pushing CSP +nonces quite a bit (instead of whitelists), so maybe also add a note about if/how that works (re webpackβs
__webpack_nonce__)? And maybe add a link to the cli docs that mention that it supports SRI (subresource integrity hashes) with an explanation what that does (and maybe that you can also send hashes instead of nonces in CSP headers - with CSP 3 even for external scripts)β¦Similar issue is being faced in our application. Our angular7 application is not working without unsafe-inline with βstyle-srcβ. Our security team is not allowing to have unsafe inline values in CSPβ¦ Is there a work around for this? or by when can we expect a fix from angular.