docs: update security guide to mention new CSP functionality #49561

crisbeto · 2023-03-23T09:22:33Z

Updates the security guide to reflect the recently-added CSP APIs.

github-actions · 2023-03-23T09:59:43Z

Deployed aio for 4723829 to: https://ng-dev-previews-fw--pr-angular-angular-49561-oe0j25p8.web.app

Note: As new commits are pushed to this pull request, this link is updated after the preview is rebuilt.

aio/content/guide/security.md

crisbeto · 2023-03-29T08:17:18Z

Updated the guide to reflect the changes from angular/angular-cli#24903.

aio/content/guide/security.md

jelbourn · 2023-03-29T17:52:12Z

aio/content/guide/security.md

+| Sections                | Details |
+|:---                     |:---     |
+| `default-src 'self';`   | Allows the page to load all its required resources from the same origin. |
+| `style-src 'self' 'nonce-randomNonceGoesHere';`     | Allows the page to load global styles from the same origin \(`'self'`\) and ones inserted by Angular with the `nonce-randomNonceGoesHere`. |
+| `script-src 'self' 'nonce-randomNonceGoesHere';`     | Allows the page to load JavaScript from the same origin \(`'self'`\) and ones inserted by the Angular CLI with the `nonce-randomNonceGoesHere`. This is only required if you're using critical CSS inlining. |


I don't think we should include script-src with a nonce here?

The script-src is necessary when using critical CSS inlining. It works by setting media="print" on link tags and setting it back to media="all" after it has loaded. See angular/angular-cli#24903.

aio/content/guide/security.md

Updates the security guide to reflect the recently-added CSP APIs.

crisbeto · 2023-03-30T11:07:30Z

Feedback has been addressed.

jelbourn

LGTM

alxhub

Reviewed-for: global-approvers

crisbeto · 2023-03-30T20:30:10Z

Caretaker note: the PR has the necessary approvals (see the PullApprove status), but for some reason Github won't allow me to remove the additional review requests.

angular-robot · 2023-03-30T23:10:08Z

This PR was merged into the repository by commit f19319e.

angular-automatic-lock-bot · 2023-04-30T00:09:26Z

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}

crisbeto added area: docs action: review The PR is still awaiting reviews from at least one requested reviewer target: major This PR is targeted for the next major release labels Mar 23, 2023

crisbeto added this to the v16-candidates milestone Mar 23, 2023

crisbeto requested a review from jelbourn March 23, 2023 09:22

pullapprove bot requested review from alxhub, josephperrott and pkozlowski-opensource March 23, 2023 09:22

crisbeto added the aio: preview label Mar 23, 2023

crisbeto force-pushed the csp-docs branch from 55e1ead to 10004f6 Compare March 23, 2023 10:02

alan-agius4 reviewed Mar 23, 2023

View reviewed changes

aio/content/guide/security.md Outdated Show resolved Hide resolved

alan-agius4 reviewed Mar 23, 2023

View reviewed changes

aio/content/guide/security.md Outdated Show resolved Hide resolved

crisbeto force-pushed the csp-docs branch from 10004f6 to 21f4582 Compare March 29, 2023 08:17

jelbourn reviewed Mar 29, 2023

View reviewed changes

pullapprove bot requested a review from jelbourn March 29, 2023 17:53

docs: update security guide to mention new CSP functionality

4723829

Updates the security guide to reflect the recently-added CSP APIs.

crisbeto force-pushed the csp-docs branch from 21f4582 to 4723829 Compare March 30, 2023 11:07

jelbourn approved these changes Mar 30, 2023

View reviewed changes

pullapprove bot requested a review from jelbourn March 30, 2023 18:31

alxhub approved these changes Mar 30, 2023

View reviewed changes

angular-robot bot closed this in f19319e Mar 30, 2023

alan-agius4 mentioned this pull request Apr 1, 2023

Documentation about critical inlining styles does not mention impact on CSP #48984

Closed

This was referenced Apr 10, 2023

Refused to apply inline style while nonce is available in the Content Security Policy header #49104

Closed

platform-browser.mjs _addStylesToHost function trigger CSP error #49758

Closed

amanplans mentioned this pull request Apr 13, 2023

Refused to apply inline style while nonce is available in the Content Security Policy header in Angular v16.0.0-next.7 #49827

Closed

A-Fitz-Nelnet mentioned this pull request Apr 19, 2023

Add a customizable nonce attribute to injected style elements - CSP #26152

Open

angular-automatic-lock-bot bot locked and limited conversation to collaborators Apr 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: update security guide to mention new CSP functionality #49561

docs: update security guide to mention new CSP functionality #49561

crisbeto commented Mar 23, 2023

github-actions bot commented Mar 23, 2023 •

edited

crisbeto commented Mar 29, 2023

jelbourn Mar 29, 2023

crisbeto Mar 29, 2023

crisbeto commented Mar 30, 2023

jelbourn left a comment

alxhub left a comment

crisbeto commented Mar 30, 2023 •

edited

angular-robot bot commented Mar 30, 2023

angular-automatic-lock-bot bot commented Apr 30, 2023

docs: update security guide to mention new CSP functionality #49561

docs: update security guide to mention new CSP functionality #49561

Conversation

crisbeto commented Mar 23, 2023

github-actions bot commented Mar 23, 2023 • edited

crisbeto commented Mar 29, 2023

jelbourn Mar 29, 2023

Choose a reason for hiding this comment

crisbeto Mar 29, 2023

Choose a reason for hiding this comment

crisbeto commented Mar 30, 2023

jelbourn left a comment

Choose a reason for hiding this comment

alxhub left a comment

Choose a reason for hiding this comment

crisbeto commented Mar 30, 2023 • edited

angular-robot bot commented Mar 30, 2023

angular-automatic-lock-bot bot commented Apr 30, 2023

github-actions bot commented Mar 23, 2023 •

edited

crisbeto commented Mar 30, 2023 •

edited