Skip to content

Inline <style> elements violates style-src Content Security Policy #6361

Closed
Closed
Inline <style> elements violates style-src Content Security Policy#6361
Assignees
crisbeto
Labels
area: coreIssues related to the framework runtimearea: securityIssues related to built-in security features, such as HTML sanitationcore: stylesheetscross-cutting: CSPfeatureLabel used to distinguish feature request from other issuesfreq3: highsecurityIssues that generally impact framework or application securitystate: has PR
Milestone
Backlog
@jelbourn

Description

@jelbourn
jelbourn
opened on Jan 8, 2016

See https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#style-src

The framework should support users that want to build their apps for CSP. In this case, the style-src directive would be in violation by Angular 2's use of inline <style> elements for things like CSS encapsulation.

I was curious if Angular 1 supported CSP, and it seems that Angular 1 indeed generates a stylesheet (build/angular-csp.css) that users can consume for CSP mode.

cc @tbosch @matsko

Metadata

Metadata

Assignees

Labels

area: coreIssues related to the framework runtimearea: securityIssues related to built-in security features, such as HTML sanitationcore: stylesheetscross-cutting: CSPfeatureLabel used to distinguish feature request from other issuesfreq3: highsecurityIssues that generally impact framework or application securitystate: has PR

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions