问题
I cannot make base Angular2 (final) application works with the following restrictive CSP.
default-src 'none';
script-src 'self';
style-src 'self';
font-src 'self';
img-src 'self' data:;
connect-src 'self'
There are one unsafe-eval error in lang.js and two in zone.js. Could you provide a solution ?
Step to reproduce with Angular CLI
I have created a GitHub repository. You can also follow the instructions below.
Use the last Angular CLI with webpack 6.0.8 and the new application created with the instructions below.
ng new csp-test
Insert in the index.html the meta tag defining the following restrictive content security policy.
<meta
http-equiv="Content-Security-Policy"
content="default-src 'none';script-src 'self';style-src 'self';font-src 'self';img-src 'self' data:;connect-src 'self'">
Then serve the application.
ng serve
Access http://localhost:4200/, the page does not load since scripts are blocked by CSP.
Errors
lang.js
lang.js:335 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
with the source code.
335: return new (Function.bind.apply(Function, [void 0].concat(fnArgNames.concat(fnBody))))().apply(void 0, fnArgValues);
zone.js
zone.js:344 Unhandled Promise rejection: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
; Zone: <root> ; Task: Promise.then ; Value: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
zone.js:346 Error: Uncaught (in promise): EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".(…)
with the source code.
343: if (rejection) {
344: console.error('Unhandled Promise rejection:', rejection instanceof Error ? rejection.message : rejection, '; Zone:', e.zone.name, '; Task:', e.task && e.task.source, '; Value:', rejection, rejection instanceof Error ? rejection.stack : undefined);
345: }
346: console.error(e);
回答1:
The problem has been solved using last Angular CLI version (starting with 1.0.0-beta.17). The following command serves a working application because it includes a-head-of-time compilation.
ng serve --prod
回答2:
Using the offline template compiler should fix this.
http://www.syntaxsuccess.com/viewarticle/offline-compilation-in-angular-2.0 https://github.com/angular/angular/issues/1744
回答3:
I've found a way to have restrictive CSP on my production environment while still being able to use the JTI compliler for development.
- Add a second file:
index.production.htmlto thesrcfolder. - Copy the contents of
index.htmlto that file, and add the restrictive CSP header.
<meta http-equiv="Content-Security-Policy"
content="default-src 'none';
frame-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline';
font-src 'self';
img-src 'self' data:;
connect-src 'self'">
- Then, add to your
angular.jsonthe following:
build: {
...
"configurations": {
"production": {
"fileReplacements": [
{
"replace": "src/index.html",
"with": "src/index.production.html"
}
],
...
}
}
}
This makes sure that when you run a production build, it will use the index.production.html with the restrictive CSP, and when you're running it locally, you can use the JTI compiler.
来源:https://stackoverflow.com/questions/38734708/make-angular-working-with-restrictive-content-security-policy-csp