-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(@angular/build): add CSP nonce to script with src tags #27875
Conversation
Prior to this change, script tags with the `src` attribute were not being assigned a CSP nonce during the build process. This is useful strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions. Closes angular#27874
The changes were merged into the following branches: main, 18.0.x |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need this change on Angular version 16. Is there any way to do this fix in Version 16 by overriding inbuilt methods?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Version 16 is in LTS phase and only received security fixes.
For all other fixes please update to the latest version.
Please see: https://angular.dev/reference/releases#actively-supported-versions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alan-agius4 I tried same using latest version 18.1.0, but It is not adding nonce to script tags of main.js, polyfills.js etc. Could you please give the release date for this change, so that we can plan our migration accordingly? Stackblitz URL: https://stackblitz.com/edit/stackblitz-starters-wr9a9h?file=src%2Fapp%2Fapp.config.ts
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Prior to this change, script tags with the
src
attribute were not being assigned a CSP nonce during the build process. This is useful strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.Closes #27874