Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(material): Support CSP, headers with style-src 'self' #24633

Closed
Rugshtyne opened this issue Mar 21, 2022 · 12 comments
Closed

feat(material): Support CSP, headers with style-src 'self' #24633

Rugshtyne opened this issue Mar 21, 2022 · 12 comments
Labels
feature This issue represents a new feature or feature request rather than a bug or bug fix needs triage This issue needs to be triaged by the team

Comments

@Rugshtyne
Copy link

Feature Description

Our current CSP implementation contains style-src 'self' which is not compatible with Angular Material. It would be great that Angular Material would support such CSP headers and, for example, as a solution have a possibility to add CSP nonces or would disable such inline injections. There was already an issue created before but was closed due to inactivity.

We have used 'unsafe-hashes' for some of the styles attributes but now, according to Dutch government, which we have to comply to, these should be removed.

If you think some workaround is possible or a minor fix in a code would do, it would be great to get that information. We could then maybe provide a pull request ourselves.

Use Case

This would enable use of strict CSP headers regarding styles.
@Rugshtyne Rugshtyne added feature This issue represents a new feature or feature request rather than a bug or bug fix needs triage This issue needs to be triaged by the team labels Mar 21, 2022
@angular-robot
Copy link
Contributor

angular-robot bot commented Mar 21, 2022

This feature request is now candidate for our backlog! In the next phase, the community has 60 days to upvote. If the request receives more than 20 upvotes, we'll move it to our consideration list.

You can find more details about the feature request process in our documentation.

@jelbourn
Copy link
Member

Angular itself has this problem: angular/angular#6361

That issue being addressed would be a prereq for components to tackle this.

@Rugshtyne
Copy link
Author

@jelbourn I have seen this but having in mind that it's open for around 6 years already is quite concerning. Am I right by saying that Angular Material is using Angular style injection infrastructure? Maybe it's possible to add, for example, nonces as attributes from Angular Material side?

At the moment we're using a custom shared_styles_host implementation but it is a hacky and not future proof way to tackle the issue, especially given the fact that Angular themselves have made some workarounds where they just inject style node into the DOM, bypassing the mentioned host.

@jelbourn
Copy link
Member

Am I right by saying that Angular Material is using Angular style injection infrastructure

Yes, Angular Material is built with Angular and shows this issue, the same as any other Angular-authored components. The issue is old, but it has never been a high priority because Google's security engineering team doesn't deem default-src self; style-src unsafe-inline; particularly risky.

@Rugshtyne
Copy link
Author

Am I right by saying that Angular Material is using Angular style injection infrastructure

Yes, Angular Material is built with Angular and shows this issue, the same as any other Angular-authored components. The issue is old, but it has never been a high priority because Google's security engineering team doesn't deem default-src self; style-src unsafe-inline; particularly risky.

How about possibility to add, for example, nonces as attributes from Angular Material side?

@jelbourn
Copy link
Member

The component library would have to stop using Angular's styles / styleUrls API and manually handle loading component styles, which is really outside the scope of what a component library should be doing.

@rickz21 rickz21 mentioned this issue Apr 19, 2022
Closed
@Rugshtyne
Copy link
Author

The component library would have to stop using Angular's styles / styleUrls API and manually handle loading component styles, which is really outside the scope of what a component library should be doing.

Can you maybe point me to the place where such APIs are used in Angular Material? Maybe I could see some solution or a workaround

@Rugshtyne Rugshtyne mentioned this issue Apr 20, 2022
Closed
@jelbourn
Copy link
Member

Can you maybe point me to the place where such APIs are used

It's in every component's @Component decorator. It's the standard way of including styles with an Angular component. There very likely is not an alternative here that will work in the OSS web ecosystem and for our build system inside Google.

@wagnermaciel
Copy link
Contributor

@jelbourn Is this something we would even consider changing on our end? Seems like if this were to be done it would be handled by the framework, right?

@jelbourn
Copy link
Member

Yeah, I would really consider this a duplicate of that framework issue.

@wagnermaciel
Copy link
Contributor

Closing as a duplicate of angular/angular#6361

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators May 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature This issue represents a new feature or feature request rather than a bug or bug fix needs triage This issue needs to be triaged by the team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jelbourn @wagnermaciel @Rugshtyne