Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(@angular/build): add CSP nonce to script with src tags #27875

Merged
merged 1 commit into from
Jun 18, 2024

Conversation

alan-agius4
Copy link
Collaborator

Prior to this change, script tags with the src attribute were not being assigned a CSP nonce during the build process. This is useful strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.

Closes #27874

Prior to this change, script tags with the `src` attribute were not being assigned a CSP nonce during the build process. This is useful
strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.

Closes angular#27874
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Jun 18, 2024
@alan-agius4 alan-agius4 requested a review from clydin June 18, 2024 12:39
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 18, 2024
@alan-agius4 alan-agius4 merged commit c0ceddf into angular:main Jun 18, 2024
32 of 33 checks passed
@alan-agius4 alan-agius4 deleted the csp branch June 18, 2024 13:57
@alan-agius4
Copy link
Collaborator Author

The changes were merged into the following branches: main, 18.0.x

Copy link

@sagartalaviya91 sagartalaviya91 Jul 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need this change on Angular version 16. Is there any way to do this fix in Version 16 by overriding inbuilt methods?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version 16 is in LTS phase and only received security fixes.

For all other fixes please update to the latest version.

Please see: https://angular.dev/reference/releases#actively-supported-versions

Copy link

@sagartalaviya91 sagartalaviya91 Jul 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alan-agius4 I tried same using latest version 18.1.0, but It is not adding nonce to script tags of main.js, polyfills.js etc. Could you please give the release date for this change, so that we can plan our migration accordingly? Stackblitz URL: https://stackblitz.com/edit/stackblitz-starters-wr9a9h?file=src%2Fapp%2Fapp.config.ts

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Aug 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
action: merge The PR is ready for merge by the caretaker target: patch This PR is targeted for the next patch release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ngCspNonce should add the nonce value to the script tags loading the main bundles
3 participants