Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ngCspNonce should add the nonce value to the script tags loading the main bundles #27874

Closed
conorblencowe opened this issue Nov 15, 2023 · 6 comments · Fixed by #27875
Closed

ngCspNonce should add the nonce value to the script tags loading the main bundles #27874

conorblencowe opened this issue Nov 15, 2023 · 6 comments · Fixed by #27875
Labels
angular/build:application area: @angular/build

Comments

@conorblencowe
Copy link

Which @angular/* package(s) are relevant/related to the feature request?

compiler-cli

Description

ngCspNonce is a great addition and almost solves a lot of the CSP difficulties I'm having but I think is missing some aspects to simplify the process of writing a CSP.

CSP level 3 introduces strict-dynamic for script-src. This avoids needing a whitelist and favours using a nonce (or hash) on scripts. The great part about it is that this "trust" given by a nonce also propagates to scripts that are loaded by the root script. This is particularly important for myself since we load a tracking script which in turn loads a bunch of other tracking services.

This almost works. The problem is that you can't use strict-dynamic in conjunction with 'self'. Angular currently does not add the nonce from ngCspNonce to the runtime/main bundles included at the bottom of the index.html. So, without a nonce or allowing "self" the browser blocks these.

image

Proposed solution

Along with the other inline styles/scripts that ngCspNonce will add the nonce placeholder to, also add this nonce to the bundles.

Alternatives considered

An alternate solution is to avoid strict-dynamic use whitelisting of domains but for an application with more complex scripts it is a lifesaver. Google's CSP evaluator utilises strict-dynamic in their "sample safe policy".
@ngbot ngbot bot added this to the needsTriage milestone Nov 15, 2023
@danielritter
Copy link

+1

@tomastrajan
Copy link
Contributor

Yes, please!

@bschick
Copy link

bschick commented Jan 28, 2024

Hard to use strict-dynamic without this

@dvero23
Copy link

dvero23 commented Jun 18, 2024

Yes please, it would be really helpful.

@ngbot ngbot bot removed this from the needsTriage milestone Jun 18, 2024
@JoostK JoostK transferred this issue from angular/angular Jun 18, 2024
@JoostK
Copy link
Member

JoostK commented Jun 18, 2024

Moving this to the CLI repo because it does the index.html preparation, not the Angular compiler itself.

alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jun 18, 2024
@alan-agius4
fix(@angular/build): add CSP nonce to script with src tags
cc2cef4 
Prior to this change, script tags with the `src` attribute were not being assigned a CSP nonce during the build process. This is useful
strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.

Closes angular#27874
@alan-agius4 alan-agius4 mentioned this issue Jun 18, 2024
Merged
alan-agius4 added a commit that referenced this issue Jun 18, 2024
@alan-agius4
fix(@angular/build): add CSP nonce to script with src tags
bdd168f 
Prior to this change, script tags with the `src` attribute were not being assigned a CSP nonce during the build process. This is useful
strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.

Closes #27874

(cherry picked from commit c0ceddf)
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Jul 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
angular/build:application area: @angular/build
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(@angular/build): add CSP nonce to script with src tags alan-agius4/angular-cli
7 participants
@JoostK @bschick @danielritter @tomastrajan @alan-agius4 @conorblencowe @dvero23