feat(@angular-devkit/build-angular): add CSP support for inline styles #24880
Conversation
crisbeto
added
action: review
There was a problem hiding this comment.
I am not certain that creating a new plugin is the right direction.
The plugin addresses only one use case (CSR), but it does not add nonce to the app-shell, which uses extended Critters directly. See:
I was under the impression, that we were going to add nonce support in Critters, as adding nonce to the style elements is also not sufficient to make the page CSP complaint, crtitters adds onload events to link elements, as such we will need to modify critters to output this is a CSP complaint way.
Currently critters will change
<link rel="stylesheet" href="styles.css”>
to
<link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'">Now, we need to amend the above and make it CSP complaint when nonce is provided (Or we can do the same logic irrespective if CSP is enabled.)
<link rel="stylesheet" href=“styles.css” ngAsyncStyle>
<script nonce=“..">
document.querySelectorAll('link[ngAsyncStyle]’)
.forEach(s => s.addEventListener(‘load’, () => s.media = ‘all'));
</script>All the above, would be complex to do with this sort of plugin created, but should be more doable using by extended Critters.
packages/angular_devkit/build_angular/src/utils/index-file/style-nonce.ts
Outdated
Show resolved
Hide resolved
packages/angular_devkit/build_angular/src/utils/index-file/style-nonce.ts
Show resolved
Hide resolved
packages/angular_devkit/build_angular/src/utils/index-file/style-nonce.ts
Outdated
Show resolved
Hide resolved
packages/angular_devkit/build_angular/src/utils/index-file/style-nonce.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
The change I was planning to make to Critters was to allow for custom attributes to be specified and we can achieve the same without touching Critters at all using the changes in this PR. I can bake this logic into the Critters plugin, but I think that it makes sense to apply it to all inline style tags, not just the ones generated by Critters.
I think that the link use case would require a much larger change to Critters so for now I would rather focus only on the style tags.
packages/angular_devkit/build_angular/src/utils/index-file/style-nonce.ts
Show resolved
Hide resolved
Fair enough. |
alan-agius4
added
the
action: cleanup
Companion change to angular/angular#49444. Adds an HTML processor that finds the `ngCspNonce` attribute and copies its value to any inline `style` tags in the HTML. The processor runs late in the processing pipeline in order to pick up any `style` tag that might've been added by other processors (e.g. critical CSS).
crisbeto
removed
the
action: cleanup
|
Comments have been addressed. |
alan-agius4
added
action: merge
…tags. Based on angular#24880 (review). Critters can generate `link` tags with inline `onload` handlers which breaks CSP. These changes update the style nonce processor to remove the `onload` handlers and replicate the behavior with an inline `script` tag that gets the proper nonce. Note that earlier we talked about doing this through Critters which while possible, would still require a custom HTML processor, because we need to both add and remove attributes from an element.
…tags. Based on angular#24880 (review). Critters can generate `link` tags with inline `onload` handlers which breaks CSP. These changes update the style nonce processor to remove the `onload` handlers and replicate the behavior with an inline `script` tag that gets the proper nonce. Note that earlier we talked about doing this through Critters which while possible, would still require a custom HTML processor, because we need to both add and remove attributes from an element.
…tags. Based on angular#24880 (review). Critters can generate `link` tags with inline `onload` handlers which breaks CSP. These changes update the style nonce processor to remove the `onload` handlers and replicate the behavior with an inline `script` tag that gets the proper nonce. Note that earlier we talked about doing this through Critters which while possible, would still require a custom HTML processor, because we need to both add and remove attributes from an element.
…tags. Based on #24880 (review). Critters can generate `link` tags with inline `onload` handlers which breaks CSP. These changes update the style nonce processor to remove the `onload` handlers and replicate the behavior with an inline `script` tag that gets the proper nonce. Note that earlier we talked about doing this through Critters which while possible, would still require a custom HTML processor, because we need to both add and remove attributes from an element.
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Companion change to angular/angular#49444. Adds an HTML processor that finds the
ngCspNonceattribute and copies its value to any inlinestyletags in the HTML. The processor runs late in the processing pipeline in order to pick up anystyletag that might've been added by other processors (e.g. critical CSS).