Skip to content

Auto-CSP generates invalid loader scripts for some <script> tags #29054

@aaronshim

Description

@aaronshim

Command

build

Is this a regression?

  • Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

Auto-CSP relies on rewriting scripts of the form <script src="..."></script> into an inline loader script that will dynamically re-create these tags and add them to the DOM.

There are some <script src="..."> configurations that generate inline loader scripts that will not run on the transformed page, such as

  • Having your <script src="..."> tag appear in the <head> rather than the <body> of the document.
  • Having your <script src="..."> tag interpreted as something that will create a type="undefined" attribute on the generated node added to the DOM

Minimal Reproduction

The index.html should have the following:

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <base href="/">
  <script src='script1.js'></script>
</head>
<body>
  <app-root></app-root>  
  <script src='script2.js'></script>
  </body>
</html>

Exception or Error

`script1.js` and `script2.js` do not run.

Your Environment

_                      _                 ____ _     ___
    / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
   / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
  / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
 /_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
                |___/
    

Angular CLI: 19.0.3
Node: 20.15.1
Package Manager: npm 10.7.0
OS: linux x64

Angular: 
... 

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.1900.3 (cli-only)
@angular-devkit/core         19.0.3 (cli-only)
@angular-devkit/schematics   19.0.3 (cli-only)
@schematics/angular          19.0.3 (cli-only)

Anything else relevant?

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions