Content Security Policy and SPAs

[jgtestw]

Which @angular/* package(s) are relevant/related to the feature request?

No response

Description

Currently CSP and SPAs don't work well together.

There is however something very simple we could do to make CSP 100% compatible with SPA.

Proposed solution

When Angular builds the app, also output a file called hashes.json. This file contains a list of hashes of all of the bootstrap js scripts. Then, in your backend, say asp.net core, you read this file and add the hashes to your CSP header.

This would be a very simple change that would make a lot of people's lives much easier.

Alternatives considered

• AutoCSP is not ideal because it uses the meta tag, not http headers.
• Setting the nonce to CSP_NONCE doesn't work with strict-dynamic.
• Setting the nonce in index.html breaks caching.

[angular-robot]

This feature request is now candidate for our backlog! In the next phase, the community has 60 days to upvote. If the request receives more than 20 upvotes, we'll move it to our consideration list.

You can find more details about the feature request process in our documentation.