-
-
Notifications
You must be signed in to change notification settings - Fork 12
-
-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
breaks angular nonce based content-security-policy #38
Comments
yogeshgadge
added a commit
to yogeshgadge/ngx-layout
that referenced
this issue
Sep 13, 2023
yogeshgadge
added a commit
to yogeshgadge/ngx-layout
that referenced
this issue
Sep 14, 2023
DuncanFaulkner
pushed a commit
that referenced
this issue
Sep 17, 2023
DuncanFaulkner
added a commit
that referenced
this issue
Sep 17, 2023
DuncanFaulkner
added a commit
that referenced
this issue
Sep 18, 2023
* Merge main back into 16.x.x (#37) * chore(changelog): create a tag for updating the changelog * docs(home): update home document * chore(change log): update to changelog * chore(changelog): update version & changelog * chore(docs): update docs * chore(docs): update docs * chore(changelog): fix issues with change log * chore(changlelog): update changelog issues * Update README.md * fix(media-observer) honor nonce in style tag(#38) (#39) * fix(media-observer) honor nonce in style tag(#38) * fix(media-observer) unit tests(#38) * chore(changelog): update change log * chore(changelog): update change log * chore(media): fix unit test * chore(version):release version 16.1.2 * chore(version): update version to 16.1.3 --------- Co-authored-by: ygopensource <yogeshgadge@users.noreply.github.com>
DuncanFaulkner
added a commit
that referenced
this issue
Sep 18, 2023
* Merge main back into 16.x.x (#37) * chore(changelog): create a tag for updating the changelog * docs(home): update home document * chore(change log): update to changelog * chore(changelog): update version & changelog * chore(docs): update docs * chore(docs): update docs * chore(changelog): fix issues with change log * chore(changlelog): update changelog issues * Update README.md * fix(media-observer) honor nonce in style tag(#38) (#39) * fix(media-observer) honor nonce in style tag(#38) * fix(media-observer) unit tests(#38) * chore(changelog): update change log * chore(changelog): update change log * chore(media): fix unit test * chore(version):release version 16.1.2 * chore(version): update version to 16.1.3 --------- Co-authored-by: ygopensource <yogeshgadge@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Report
<style></style>
elements are inserted without honoringCSP_NONCE
orngCspNonce
.It inserted following style tag but missing nonce attribute.
What is the expected behaviour?
Inserts nonce attribute for styles that it inserts just like other angular platform.
What is the current behaviour?
No nonce attribute.
What are the steps to reproduce?
Follow any of the 2 strategies to prepare app with nonce from https://angular.io/guide/security#content-security-policy when bootstraping or in index.html (ngCspNonce)
Try this
https://stackblitz.com/edit/rng372?file=src%2Fmain.ts
Inspect elements /head/styles/ - the style inserted by this package does not have nonce attribute.
Notice 3 <style> tags. The first 3 are from ngx-flexlayout. The 4th one behaves correctly is from @angular/material inserted.
What is the use case or motivation for changing an existing behaviour?
Stay secure/ CSP secure and be able to use this package that is now finally transferred here.
Which versions of Angular, Material, OS, TypeScript, and browsers are affected?
x16
Is there anything else we should know?
ngx-layout/projects/libs/flex-layout/core/match-media/match-media.ts
Line 187 in 7e48745
could add the nonce here but not sure how to get that value.
fxLayout.lt-md
then I don;t see that happening. But then whats the point.The text was updated successfully, but these errors were encountered: