Removal of 'unsafe-inline' CSP header from style-src breaks angular application, even though there are no inline css in the app #54963
Labels
area: security
Issues related to built-in security features, such as HTML sanitation
Milestone
Which @angular/* package(s) are the source of the bug?
Don't known / other
Is this a regression?
No
Description
We have enforced strict security measure in our application where we want to remove 'unsafe-inline' from style-src from Content Security Policy(CSP) directive. Removal of unsafe-inline works for script-src but doesn't work with style-src and the page breaks. We currently use angular version 12.
Our application is used by bank and we have been challenged that this might lead to XSS attack and our application can't generate nounce values.
We need assurance from your end that inclusion of 'unsafe-inline' for style-src can't lead to XSS attack in angular app.
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
Please provide the environment you discovered this bug in (run
ng version
)Anything else?
We need assurance from your end that inclusion of 'unsafe-inline' for style-src can't lead to XSS attack in angular app. It is not possible to generate nonce value in our app.
The text was updated successfully, but these errors were encountered: