Latest 1.2 does not work with ng-csp mode.

[mbelshe]

At least two major problems:

• injects inline script on startup
• ng-show/ng-hide are broken

And I'm not 100% certain, but I think ng-csp itself is broken in top-of-tree (it gets added to sniffer too late? - not sure, this may be my debugging failure)

To confirm:

• in Gruntfile.js, uncomment the "util.csp()" line, and try to run the tests.

Note: if you can point me at the person that knows about the state of CSP - I'd be happy to contribute to fixing.

[petebacondarwin]

I uncommented that line then ran

grunt test

Runs successfully for me.

@mbelshe - Can you confirm that this is a problem on HEAD of master?

[IgorMinar]

1/ Angular doesn't inject scripts into the document. The error you are referring to comes from the index.html of our docs app.

2/ Angular does inject css stylesheet into the document. This is not csp friendly and causes ngShow/ngHide/ngCloak to fail because they depend on ng-cloak and ng-hide css classes defined in the injected stylesheet.

---

We should not do anything about 1/, but we should try to make 2/ better. That can be done either by detecting csp and not injecting the stylesheet or at least just document this behavior in ngShow/ngHide/ngCloak documentation and explain how to recreate the stylesheet by hand and include in from an external file. We could even create angular.css file at build time and distribute it with angular for the use with CSP.

[IgorMinar]

@tigbro and @vojtajina are going to look into this.

[tbosch]

The util.csp() is used in the devserver target of the Gruntfile, that is not used when executing grunt test.

[IgorMinar]

end to end tests started via grunt test don't fail because even if you turn on csp in the web server, the webserver is proxied by karma, which doesn't preserve the csp headers.

[tbosch]

Talked to @IgorMinar: only add inline css when not in csp mode, and add angular-csp.css to the resulting build files.

[mbelshe]

Thanks everyone for helping me fumble through this bug report. I believe Igor sorted it out correctly; its the inline style which is messing up, not inline scripts.

[tbosch]

PR: #4411