Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removal of 'unsafe-inline' CSP header from style-src breaks angular application, even though there are no inline css in the app #54963

Open
bpoude opened this issue Mar 20, 2024 · 0 comments
Open

Removal of 'unsafe-inline' CSP header from style-src breaks angular application, even though there are no inline css in the app #54963

bpoude opened this issue Mar 20, 2024 · 0 comments
Labels
area: security Issues related to built-in security features, such as HTML sanitation
Milestone
needsTriage

Comments

@bpoude
Copy link

bpoude commented Mar 20, 2024

Which @angular/* package(s) are the source of the bug?

Don't known / other

Is this a regression?

No

Description

We have enforced strict security measure in our application where we want to remove 'unsafe-inline' from style-src from Content Security Policy(CSP) directive. Removal of unsafe-inline works for script-src but doesn't work with style-src and the page breaks. We currently use angular version 12.
Our application is used by bank and we have been challenged that this might lead to XSS attack and our application can't generate nounce values.
We need assurance from your end that inclusion of 'unsafe-inline' for style-src can't lead to XSS attack in angular app.

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

Refused to apply inline style because it violates the following Content Security Policy Directive

Please provide the environment you discovered this bug in (run ng version)

Angular : 12.0.5
Node : 14.13
Package Manager : npm
OS : Windows

animations, cli, common, compiler, cdk,core,forms
platform-browser,platform-browser-dynamic,router

Anything else?

We need assurance from your end that inclusion of 'unsafe-inline' for style-src can't lead to XSS attack in angular app. It is not possible to generate nonce value in our app.
@jessicajaniuk jessicajaniuk added the area: security Issues related to built-in security features, such as HTML sanitation label Apr 2, 2024
@ngbot ngbot bot added this to the needsTriage milestone Apr 2, 2024
@sylvaindumont sylvaindumont mentioned this issue Apr 9, 2024
Open
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: security Issues related to built-in security features, such as HTML sanitation
Projects
None yet
Milestone
needsTriage
Development

No branches or pull requests
2 participants
@bpoude @jessicajaniuk