Content-Security-Policy 'nonce' not working for some elements #15911
Labels
Type: Bug
Issue contains a bug related to a specific component. Something about the component is not working
Milestone
Describe the bug
The bug happens for some elements that are not applying the CSP 'nonce' policy correctly.
In my case, the
p-table
element is failing since it seems when it's configured as responsive, usingresponsiveLayout="stack"
(check PrimeNG docs here), there are inline styles applied dynamically (using the innerHTML attribute) that do not contain the 'nonce' attribute.I have replicated the error in a Stackblitz.
Check the Steps to reproduce the behavior section for details.
Reproducer
https://stackblitz.com/edit/2xjzsk
Angular version
18
PrimeNG version
17.18.1
Build / Runtime
Angular CLI App
Language
TypeScript
Node version (for AoT issues node --version)
20
Browser(s)
No response
Steps to reproduce the behavior
I added to my project the configurations provided by Angular and PrimeNG in order to apply and comply the Content-Security-Policy NONCE feature as follows:
Angular configurations (see Security section):
index.html
The meta tag
The
ngCspNonce
attribute in the main componentPrimeNG configurations (see Configution > CSP)
table-basic-demo.ts
Error(s)
When loading the
p-table
component, you could see errors saying that nonce is not implemented for some inline styles.Note that there might be other errors not related to this issue.
Error 1: related to other component. Might be related to the same nonce issue.
Error 2 and 3: related to
p-table
issue.In
createResponsiveStyle()
function is where the issue happens:Related issue
#14847 p-pickList: Content-Security-Policy throws a inline-style error when [responsive]="true"
The text was updated successfully, but these errors were encountered: