Failed to implement CSP Policy's for styles with CSP_NONCE token #54689
Labels
area: core
Issues related to the framework runtime
area: security
Issues related to built-in security features, such as HTML sanitation
core: stylesheets
cross-cutting: CSP
Milestone
Which @angular/* package(s) are the source of the bug?
core
Is this a regression?
No
Description
When implementing the CSP policy for styles, we decided to go with the CSP_NONCE token because we are caching index.html.
In order to implement this token we decided to use APP_INITIALIZER to receive a nonce token from the server before the application is loaded and use it afterwards.
For this, we wrote a simple nonce service that is responsible for getting and saving the token
After that we added this configuration to app.module.ts :
Example of execution order.
And as a result we get incorrect behavior our СSP_NONCE is executed before APP_INITIALIZER for some reason. Because of this we can not get nonce token from the server, also useFactory does not work with asynchronous operations not anywhere except APP_INITIALIZER that's why we decided to use it.
Expected Behavior: CSP_NONCE token should work fine with factory approach
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
No response
Please provide the environment you discovered this bug in (run
ng version
)Anything else?
No response
The text was updated successfully, but these errors were encountered: