search

angular / angular

Deliver web apps with confidence 🚀
https://angular.dev
MIT License
94.88k stars 24.76k forks source link

platform-browser.mjs _getStyleElement function under SharedStylesHost class trigger CSP error #55847

Closed megatcorleone closed 2 weeks ago

megatcorleone commented 2 weeks ago

Which @angular/* package(s) are the source of the bug?

platform-browser

Is this a regression?

Yes

Description

Which @angular/* package(s) are the source of the bug?

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-qTTH3DuzKPmgtKU61WF0JCpnThDceaYDm31rPH7akOE='), or a nonce ('nonce-...') is required to enable inline execution.

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 17.3.7
Node: 20.13.1
Package Manager: npm 10.5.2
OS: darwin x64

Angular: 17.1.3
... animations, common, compiler, compiler-cli, core, forms
... language-service, platform-browser, platform-browser-dynamic
... platform-server, router, service-worker

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1701.4
@angular-devkit/build-angular   17.1.4
@angular-devkit/core            17.1.4
@angular-devkit/schematics      17.1.4
@angular/fire                   16.0.0
@angular/pwa                    17.1.4
@schematics/angular             17.1.4
rxjs                            7.5.7
typescript                      5.3.3
zone.js                         0.14.5

Ionic: Ionic CLI : 7.2.0 (/Users/n7168/.nvm/versions/node/v20.13.1/lib/node_modules/@ionic/cli) Ionic Framework : @ionic/angular 8.1.1 (/Users/n7168/HLF-ng17-ionic8/node_modules/@ionic/angular) @angular-devkit/build-angular : 17.1.4 (/Users/n7168/HLF-ng17-ionic8/node_modules/@angular-devkit/build-angular) @angular-devkit/schematics : 17.1.4 (/Users/n7168/HLF-ng17-ionic8/node_modules/@angular-devkit/schematics) @angular/cli : not installed @ionic/angular-toolkit : not installed

Anything else?

Issue: Hitting CSP violation for style-src on appendChild object method under _getStyleElement function.

Note: We are prevented from using 'unsafe-inline' due to penetration testing report on Content Security Policy.

json-derulo commented 2 weeks ago

Please stick to the CSP guide. If you cannot use unsafe-inline, you need to generate a nonce, provide it to Angular and add it to the CSP headers.

alan-agius4 commented 2 weeks ago

Closing as this is expected. Please see CSP guide.