#CSP nonce for dynamically added <style> tags?

3 messages · Page 1 of 1 (latest)

steep zodiac
#

Hello. I am configuring CSP. Right now I am adding nonces to <script> and <style> tags in backend to index.html before serving the content back to client and adding same nonce to headers as well. All is good with the pre-generated index.html placeholders.

Problem is Angular triggers and adds some dynamic <styles> after index.html is served to client in <head> section, guessing some modules pop up and do that.

Why is this a problem?
When I add style-src 'self' 'nonce-%s' 'unsafe-inline';

nonce tag gets added to all pre-rendered <style> tags and all that is fine. But now, the dynamic <style> tags are not loaded because I dont have nonce tag on them and they are blocked from running. Fallback to unsafe-inline does not work for dynamic style tags because nonce is given.

  1. Can I pre-render all possible styles and attach them, so I can nonce them.
  2. Or can angular take the nonce and attach it to dynamic styles (though idk, that kind of defeats the purpose a little bit).

Config on frontend is:

"hp-dev": {
              "optimization": {
                "scripts": true,
                "styles": {
                  "minify": true,
                  "inlineCritical": false
                },
                "fonts": true
              },
              "outputHashing": "all",
              "sourceMap": true,
              "namedChunks": true,
              "extractLicenses": false,
              "vendorChunk": true,
              "buildOptimizer": true,
              "serviceWorker": true,
              "ngswConfigPath": "ngsw-config.json",
            /.../
            },
image.png
steep zodiac
steep zodiac
#

I belive I have found the solution.
We should do:

<app-root ngCspNonce="**PLACEHOLDER_NONCE_SERVER**"></app-root>
image.png