fix(@angular/build): add CSP nonce to script with src tags #27875
Conversation
Prior to this change, script tags with the `src` attribute were not being assigned a CSP nonce during the build process. This is useful strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions. Closes angular#27874
alan-agius4
added
action: review
alan-agius4
added
action: merge
|
The changes were merged into the following branches: main, 18.0.x |
There was a problem hiding this comment.
I need this change on Angular version 16. Is there any way to do this fix in Version 16 by overriding inbuilt methods?
There was a problem hiding this comment.
Version 16 is in LTS phase and only received security fixes.
For all other fixes please update to the latest version.
Please see: https://angular.dev/reference/releases#actively-supported-versions
There was a problem hiding this comment.
@alan-agius4 I tried same using latest version 18.1.0, but It is not adding nonce to script tags of main.js, polyfills.js etc. Could you please give the release date for this change, so that we can plan our migration accordingly? Stackblitz URL: https://stackblitz.com/edit/stackblitz-starters-wr9a9h?file=src%2Fapp%2Fapp.config.ts
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Prior to this change, script tags with the
srcattribute were not being assigned a CSP nonce during the build process. This is useful strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.Closes #27874