jlfrances commented 3 months ago

Describe the bug

The bug happens for some elements that are not applying the CSP 'nonce' policy correctly.

In my case, the p-table element is failing since it seems when it's configured as responsive, using responsiveLayout="stack" (check PrimeNG docs here), there are inline styles applied dynamically (using the innerHTML attribute) that do not contain the 'nonce' attribute.

I have replicated the error in a Stackblitz.

Check the Steps to reproduce the behavior section for details.

Reproducer

https://stackblitz.com/edit/2xjzsk

Angular version

18

PrimeNG version

17.18.1

Build / Runtime

Angular CLI App

Language

TypeScript

Node version (for AoT issues node --version)

20

Browser(s)

No response

Steps to reproduce the behavior

I added to my project the configurations provided by Angular and PrimeNG in order to apply and comply the Content-Security-Policy NONCE feature as follows:

Angular configurations (see Security section):

index.html

The meta tag
The ngCspNonce attribute in the main component

PrimeNG configurations (see Configution > CSP)

table-basic-demo.ts

The PrimeNG configuration

Error(s)

When loading the p-table component, you could see errors saying that nonce is not implemented for some inline styles.

Note that there might be other errors not related to this issue.

Error 1: related to other component. Might be related to the same nonce issue.

Error 2 and 3: related to p-table issue. In createResponsiveStyle() function is where the issue happens:

Related issue

14847 p-pickList: Content-Security-Policy throws a inline-style error when [responsive]="true"

SoyDiego commented 3 months ago

@cetincakiroglu This is the problem that I was talking with you.