Description
openedon Sep 27, 2018
Bug Report or Feature Request (mark with an x
)
- [ ] bug report -> please search issues before submitting
- [x] feature request
Command (mark with an x
)
- [ ] new
- [x] build
- [ ] serve
- [ ] test
- [ ] e2e
- [ ] generate
- [ ] add
- [ ] update
- [ ] lint
- [ ] xi18n
- [ ] run
- [ ] config
- [ ] help
- [ ] version
- [ ] doc
Versions
node: 10.8.0
npm: 6.3.0
ng: 6.2.3
os: Windows 10
Desired functionality
I would like the ability to define a nonce generated on the server that angular will add to the inline styles so that I can comply with business requirements not to use 'unsafe-inline' in CSP.
Mention any other details that might be useful
https://webpack.js.org/guides/csp/
webpack-contrib/style-loader#319
Adding webpack_nonce to the entry file did work for injected script tags but not the injected style tags used for the component css.
This is more of a support question but worth considering when documenting. To use this feature properly we should cryptographically generate the nonce on the server when serving the angular app to the client and use in entry file. Not sure the intended webpack way to do this but tried this suggestion without success styled-components/styled-components#887 (comment) .