<style></style> elements are inserted without honoring CSP_NONCE or ngCspNonce.
It inserted following style tag but missing nonce attribute.
<style type="text/css">
/*
@ngbracket/ngx-layout - workaround for possible browser quirk with mediaQuery listeners
see http://bit.ly/2sd4HMP
*/
@media screen and (min-width: 600px), screen and (min-width: 960px), screen and (min-width: 1280px), screen and (min-width: 1920px), screen and (min-width: 1920px) and (max-width: 4999.98px), screen and (max-width: 1919.98px), screen and (min-width: 1280px) and (max-width: 1919.98px), screen and (max-width: 1279.98px), screen and (min-width: 960px) and (max-width: 1279.98px), screen and (max-width: 959.98px), screen and (min-width: 600px) and (max-width: 959.98px), screen and (max-width: 599.98px), screen and (min-width: 0px) and (max-width: 599.98px), print {.fx-query-test{ }}
</style>
What is the expected behaviour?
Inserts nonce attribute for styles that it inserts just like other angular platform.
Bug Report
<style></style>elements are inserted without honoringCSP_NONCEorngCspNonce.It inserted following style tag but missing nonce attribute.
What is the expected behaviour?
Inserts nonce attribute for styles that it inserts just like other angular platform.
What is the current behaviour?
No nonce attribute.
What are the steps to reproduce?
Follow any of the 2 strategies to prepare app with nonce from https://angular.io/guide/security#content-security-policy when bootstraping or in index.html (ngCspNonce)
Try this https://stackblitz.com/edit/rng372?file=src%2Fmain.ts
Inspect elements /head/styles/ - the style inserted by this package does not have nonce attribute.
Notice 3