Closed
Description
This is really more of a feature request.
1. OS?
Mac OS // El Capitan
2. ng version?
➜ dist git:(angular2) ng --version
(node:17937) fs: re-evaluating native module sources is not supported. If you are using the graceful-fs module, please update it to a more recent version.
Could not start watchman; falling back to NodeWatcher for file system events.
Visit http://ember-cli.com/user-guide/#watchman for more info.
angular-cli: 1.0.0-beta.8
node: 6.2.2
os: darwin x64
3. Repro steps. Was this an app that wasn't created using the CLI? What change did you
ng build and ng build -prod both produce an index.html that has inline JavaScript:
<script>
System.import('system-config.js').then(function () {
System.import('main');
}).catch(console.error.bind(console));
</script>
This makes applications built using ng build -prod incompatible with CSPs that disable unsafe content sources (e.g. unsafe-inline and unsafe-eval), having to enable these unsafe sources negates the security benefits of having a CSP.
Removing these inline scripts significantly increases the complexity of the builds (afaik) since there is no support for user-defined tasks, nor an easy way to use systemjs's bundler which is capable of creating CSP-compatible builds.
4. The log given by the failure. Normally this include a stack trace and some
N/A
5. Mention any other details that might be useful.
The desired behavior here is for angular-cli production builds to support CSP and increase application security by default.
Metadata
Metadata
Assignees
Labels
No labels