Implement inlining #5750
Implement inlining #5750
Conversation
|
Inline scripts add an additional security complexity; especially in combination with CSP. This should be optional, if anything. Also, the script hash should be calculated and provided if this feature is implemented. |
|
I see there's a concern with CSP. However, why do you think there's the need of hashing when this feature is enabled? It's something that can preferably deleted on filesystem, so I intentionally removed the hash to reduce match complexity. |
|
I'm referring to a hash of the inline script content. CSP allows whitelisting of inline scripts via a hash of the inline script. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) |
|
I doubt CSP is a high blocker though. Angular itself seems tricky: angular/angular#6361 The plugin I use doesn't seem to be CSP aware, so I will probably create a PR and wait for a new release. |
|
Angular requires the use of the |
|
Is it our responsibility to generate the hash? It's an header, and should be generated with some task runner before the deployment. |
|
Unwipped. Added killswitch. Please take a look! |
|
Please take a look! |
|
@Brocco can you review? |
|
If this looks okay, I would rebase soon. By the way, this is a feature(flag) addition, so maybe 1.1 branch should be targeted. |
|
Several comments:
|
|
|
|
Rebased. Untested. |
|
Review? |
docs/documentation/build.md
Outdated
| @@ -144,6 +144,16 @@ Flag | `--dev` | `--prod` | |||
| </details> | |||
|
|
|||
| <details> | |||
| <summary>inline</summary> | |||
| <p> | |||
| `--inline` _default: true_ | |||
There was a problem hiding this comment.
I share @clydin's concerns on this: there is a benefit and a demand for this functionality, but we neither should change the existing behaviour nor put the extra responsibility of extra CSP configuration on users.
It might be trivial for some users, but not so much for others, and possibly completely impractical for some server setups.
For this reason I think it should default to false.
|
@ishitatsuyuki Could you explain what problem this PR is trying to fix? There might be a better approach. |
|
This is a new feature, not fix. The related issue is #2307. I'm on a trip currently. Will disable it by default. |
|
Rebased and addressed review comments. The license check is currently failing due to a dependency update. It's not my fault, but please find a way to workaround it (LGPLv2 is not currently accepted). |
|
I have rebased the changes and I believe I have addressed all the concerns. Can we get this into 1.3? |
|
Can this be extended (somehow) to allow inline critical (or any) CSS? |
|
@GuskiS no, that is server side renderer's job. |
|
Why is that the only choice? For example, I would like to have static HTML that has inlined critical CSS, some sort of app shell (navigation and loading animation), that is gzipped and then served statically - not changed by SSR. |
|
If you want to inline "critical" css, determine it and put it manually. A rule being used or not can only be determined after render. This only inline webpack manifest (runtime). |
|
Closing due to inactivity. Feel free to reuse my code. |
|
Any chance for further discussion on this topic? I find it rather weird to have a 5-line JavaScript file whichs needs to be fetched separately, especially from a performance perspective. I would at least expect the Angular CLI to have some kind of option for (actually) inlining the Also, wouldn't it be possible to simplify put the |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
The 1KB script is now inlined in
index.html. Tested locally.inline.js is now suppressed.
No tests added so far.