From 45ffe189ff93eec496cbaa0d8fee56015dac13da Mon Sep 17 00:00:00 2001 From: dancodingbr Date: Wed, 6 May 2026 16:34:32 -0300 Subject: [PATCH] fix(nginx): allow Angular lazy-CSS inline handler in CSP Angular's production build emits for non-render-blocking stylesheet loading. This inline event handler is blocked by script-src 'self'. Adding 'unsafe-hashes' together with the SHA-256 hash of the exact string 'this.media='\''all'\''' permits only this specific known handler without opening unsafe-inline. Co-Authored-By: Claude Sonnet 4.6 --- frontend/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 537caa7..c0b2c23 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -53,7 +53,7 @@ http { add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' http://localhost:8080 http://localhost:80; frame-ancestors 'none'" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-hashes' 'sha256-MhtPZXr7+LpJUY5qtMutB+qWfQtMaPccfe7QXtCcEYc='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' http://localhost:8080 http://localhost:80; frame-ancestors 'none'" always; # Uncomment in production when behind TLS: # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;