ngCsp example in docs doesn't work

[Narretz]

See https://code.angularjs.org/snapshot/docs/api/ng/directive/ngCsp#examples

You can do eval even though it should be disallowed. The e2e tests don't fail though.

[petebacondarwin]

Is that because we are not turning CSP on via the server for that page?

[Narretz]

I actually don't know what that means 😱
We only set the ng-csp attribute on the html or body tag.

[petebacondarwin]

OK, so I actually took a look at the example :-)
The point of ng-csp is to tell AngularJS not to do anything that might trigger a CSP error. It does not "turn on" CSP protection for the application. That must be done by other settings outside of AngularJS.
What developers do in their own controllers is not affected by the ng-csp directive.

So this example is rather misleading, IMO, since the evil function will be called and will execute quite happily on a browser that does not have CSP turned on - whether or not ng-csp is there.

If we could setup the example so that the browser really does turn on CSP (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Using_CSP) then it might make more sense.

[Narretz]

Ah, that makes sense:
There's a note in the example:
<!-- Note: the .csp suffix in the example name triggers CSP mode in our http server! -->

I assume this was lost during some docs migration.

However, the example was not rendered / tested because the indentation was wrong, so it's unclear if this actually worked.