breaks angular nonce based content-security-policy #38
Comments
yogeshgadge
added a commit
to yogeshgadge/ngx-layout
that referenced
this issue
Sep 13, 2023
yogeshgadge
added a commit
to yogeshgadge/ngx-layout
that referenced
this issue
Sep 14, 2023
DuncanFaulkner
pushed a commit
that referenced
this issue
Sep 17, 2023
DuncanFaulkner
added a commit
that referenced
this issue
Sep 17, 2023
DuncanFaulkner
added a commit
that referenced
this issue
Sep 18, 2023
* Merge main back into 16.x.x (#37) * chore(changelog): create a tag for updating the changelog * docs(home): update home document * chore(change log): update to changelog * chore(changelog): update version & changelog * chore(docs): update docs * chore(docs): update docs * chore(changelog): fix issues with change log * chore(changlelog): update changelog issues * Update README.md * fix(media-observer) honor nonce in style tag(#38) (#39) * fix(media-observer) honor nonce in style tag(#38) * fix(media-observer) unit tests(#38) * chore(changelog): update change log * chore(changelog): update change log * chore(media): fix unit test * chore(version):release version 16.1.2 * chore(version): update version to 16.1.3 --------- Co-authored-by: ygopensource <yogeshgadge@users.noreply.github.com>
DuncanFaulkner
added a commit
that referenced
this issue
Sep 18, 2023
* Merge main back into 16.x.x (#37) * chore(changelog): create a tag for updating the changelog * docs(home): update home document * chore(change log): update to changelog * chore(changelog): update version & changelog * chore(docs): update docs * chore(docs): update docs * chore(changelog): fix issues with change log * chore(changlelog): update changelog issues * Update README.md * fix(media-observer) honor nonce in style tag(#38) (#39) * fix(media-observer) honor nonce in style tag(#38) * fix(media-observer) unit tests(#38) * chore(changelog): update change log * chore(changelog): update change log * chore(media): fix unit test * chore(version):release version 16.1.2 * chore(version): update version to 16.1.3 --------- Co-authored-by: ygopensource <yogeshgadge@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Report
<style></style>elements are inserted without honoringCSP_NONCEorngCspNonce.It inserted following style tag but missing nonce attribute.
What is the expected behaviour?
Inserts nonce attribute for styles that it inserts just like other angular platform.
What is the current behaviour?
No nonce attribute.
What are the steps to reproduce?
Follow any of the 2 strategies to prepare app with nonce from https://angular.io/guide/security#content-security-policy when bootstraping or in index.html (ngCspNonce)
Try this
https://stackblitz.com/edit/rng372?file=src%2Fmain.ts
Inspect elements /head/styles/ - the style inserted by this package does not have nonce attribute.
Notice 3 <style> tags. The first 3 are from ngx-flexlayout. The 4th one behaves correctly is from @angular/material inserted.
What is the use case or motivation for changing an existing behaviour?
Stay secure/ CSP secure and be able to use this package that is now finally transferred here.
Which versions of Angular, Material, OS, TypeScript, and browsers are affected?
x16
Is there anything else we should know?
ngx-layout/projects/libs/flex-layout/core/match-media/match-media.ts
Line 187 in 7e48745
could add the nonce here but not sure how to get that value.
fxLayout.lt-mdthen I don;t see that happening. But then whats the point.The text was updated successfully, but these errors were encountered: