Skip to content

Support for CSP Compliant Production Builds #1279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
moloch-- opened this issue Jul 4, 2016 · 5 comments
Closed

Support for CSP Compliant Production Builds #1279

moloch-- opened this issue Jul 4, 2016 · 5 comments

Comments

@moloch--
Copy link

moloch-- commented Jul 4, 2016
edited
Loading

This is really more of a feature request.

1. OS?

Mac OS // El Capitan

2. ng version?

➜  dist git:(angular2) ng --version
(node:17937) fs: re-evaluating native module sources is not supported. If you are using the graceful-fs module, please update it to a more recent version.
Could not start watchman; falling back to NodeWatcher for file system events.
Visit http://ember-cli.com/user-guide/#watchman for more info.
angular-cli: 1.0.0-beta.8
node: 6.2.2
os: darwin x64

3. Repro steps. Was this an app that wasn't created using the CLI? What change did you

ng build and ng build -prod both produce an index.html that has inline JavaScript:

  <script>
    System.import('system-config.js').then(function () {
      System.import('main');
    }).catch(console.error.bind(console));
  </script>

This makes applications built using ng build -prod incompatible with CSPs that disable unsafe content sources (e.g. unsafe-inline and unsafe-eval), having to enable these unsafe sources negates the security benefits of having a CSP.

Removing these inline scripts significantly increases the complexity of the builds (afaik) since there is no support for user-defined tasks, nor an easy way to use systemjs's bundler which is capable of creating CSP-compatible builds.

4. The log given by the failure. Normally this include a stack trace and some

N/A

5. Mention any other details that might be useful.

The desired behavior here is for angular-cli production builds to support CSP and increase application security by default.
@filipesilva
Copy link
Contributor

Closed as issue was made obsolete by #1455.

@saulshanabrook
Copy link

@filipesilva Could this be re-opened? I still cannot figure out a way to make the Angular CLI work with CSP. There are many places where eval and Function are used in the compiled javascript.

@filipesilva
Copy link
Contributor

@saulshanabrook can you make a new issue for the problem you are experiencing? The description on this one is not applicable anymore.

@saulshanabrook saulshanabrook mentioned this issue Jul 3, 2017
Closed
@saulshanabrook
Copy link

@filipesilva OK, opened #6872

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moloch-- @saulshanabrook @filipesilva