New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: update security guide to mention new CSP functionality #49561
Conversation
Deployed aio for 4723829 to: https://ng-dev-previews-fw--pr-angular-angular-49561-oe0j25p8.web.app Note: As new commits are pushed to this pull request, this link is updated after the preview is rebuilt. |
Updated the guide to reflect the changes from angular/angular-cli#24903. |
aio/content/guide/security.md
Outdated
| Sections | Details | | ||
|:--- |:--- | | ||
| `default-src 'self';` | Allows the page to load all its required resources from the same origin. | | ||
| `style-src 'self' 'nonce-randomNonceGoesHere';` | Allows the page to load global styles from the same origin \(`'self'`\) and ones inserted by Angular with the `nonce-randomNonceGoesHere`. | | ||
| `script-src 'self' 'nonce-randomNonceGoesHere';` | Allows the page to load JavaScript from the same origin \(`'self'`\) and ones inserted by the Angular CLI with the `nonce-randomNonceGoesHere`. This is only required if you're using critical CSS inlining. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should include script-src
with a nonce here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The script-src
is necessary when using critical CSS inlining. It works by setting media="print"
on link tags and setting it back to media="all"
after it has loaded. See angular/angular-cli#24903.
Updates the security guide to reflect the recently-added CSP APIs.
Feedback has been addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed-for: global-approvers
Caretaker note: the PR has the necessary approvals (see the PullApprove status), but for some reason Github won't allow me to remove the additional review requests. |
This PR was merged into the repository by commit f19319e. |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Updates the security guide to reflect the recently-added CSP APIs.