Module#run methods are run before ng-csp takes effect

[boushley]

Right now if I have a module.run() that triggers the getterFn logic inside of Angular it is occuring before the ng-csp directive can take effect. So the Function constructor function is returned and used, and the initialization stops form the CSP error.

I'm able to work around this for now by adding another module.run method prior that has the $sniffer injected and sets $sniffer.csp to true.

It would be great if the module.run methods were invoked after ng-csp took effect. Alternatively it seems like it would be better to inject the $snifferProvider into the module config and be able to tell it to turn on CSP.

Is there a suggested direction for how you would want to solve this?

[lanterndev]

I also just hit this. Ping @mhevery @IgorMinar @btford et al. can this be triaged?

[boushley]

I ended up using a decorator to get this working instead of a run method, but it would be great to do something around this.

[lanterndev]

@boushley Would you be able to share a link to your decorator?

[boushley]

I just used:

$provide.decorator('$sniffer', ['$delegate', function ($sniffer) {
    $sniffer.csp = true;
    return $sniffer;
}]);

[lanterndev]

Thanks a lot @boushley, that did the trick for me too.

[digitarald]

This is still broken by default and I couldn't get it working with the decorator patch posted above? Any plans to fix ngCSP to work? I am just starting and don't have a great understanding of the inner workings yet.

[lanterndev]

@digitarald you have to put the snippet above inside a config function like this:

angular.module('yourModule')
  .config(function ($provide) {
    $provide.decorator('$sniffer', ['$delegate', function ($sniffer) {
      $sniffer.csp = true;
      return $sniffer;
    }]);
  })

Hope this helps.

[digitarald]

@Skivvies thank you, that worked after all. But it still defeats the purpose of ng-csp; which obviously isn't working.

[boushley]

I wasn't (and I don't think @Skivvies was) suggesting that the decorator workaround is a solution. It's just a workaround until something in angular get's changed. If you look at the code for $sniffer it says it's internal and to keep your hands off, essentially, but this works for now.

[digitarald]

No blaming intended on my side! I am glad the workaround is working for now, even though it uses internals and isn't future proof. I just wanted raise awareness and priority for this bug which renders ng-csp ineffective.

[boushley]

My guess is that this is going to be a tough cookie to solve. I've been reading through some of the Angular internals and it might be pretty hard to get this ordered correctly.

[thenikso]

I'm trying to use http://developer.chrome.com/apps with 1.2.0-rc.3 and I'm having this issue.

Maybe just check for ng-csp attribute much like the ng-app gets checked instead of using a directive?