Problem on content security policy

[silvia-giordano]

Is this a bug, enhancement, or feature request?

BUG

Which versions of Angular and Fundamental Library for Angular are affected? (If this is a feature request, use current version.)

Problem since
Angular: 12.0.5
Fundamental: 0.33.0-rc.207

actual version using
Angular 13
Fundamental 0.33.0-rc.214

If this is a bug, please provide steps for reproducing it.

From Angular documentation, only
default-src 'self'; style-src 'self' 'unsafe-inline';
is necessary in meta of the index.html

Now when I start my app I have in the console:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

and no icons are showed

Previous version functioning for our project:
Angular 11.2.14
Fundamental: 0.32.2-rc.53

Can you help us?
Thanks in advance

[droshev]

@N1XUS do you think you can research this issue and how it affects us?

[mikerodonnell89]

@silvia-giordano You may need to disable styles inlineCritical in your angular.json file as described in this comment here: angular/angular-cli#20864 (comment)

Please refer to the whole thread for some more context as to why this is happening and let us know if the problem persists

[silvia-giordano]

@mikerodonnell89 I tried with your suggestion it seems it works when I put in 'production'.
In local it still does not work (but I think I can do it differently only for localhost).
I'll do some other tests and if it works I will close this issue.
Thank you for your help!