admin管理员组

文章数量:1405124

I am developing an Angular Single-Page Application (SPA) and aim to enforce strict Content Security Policies (CSP) for enhanced security. However, I’ve encountered an issue where allowing unsafe-inline is required to accommodate inline styles, which conflicts with my security goals. Here’s my current CSP configuration:

Content-Security-Policy:  
  default-src 'self';  
  script-src 'self' fonts.googleapis;  
  style-src 'self' 'unsafe-inline' fonts.googleapis blob:;  
  img-src 'self' data:;  
  font-src 'self' fonts.gstatic;  
  connect-src 'self';  
  block-all-mixed-content;

After researching online and reviewing Stack Overflow, I haven’t found a viable solution to eliminate the need for unsafe-inline. I cannot implement the nonce approach often recommended for bypassing this.

My Question:
Is there an alternative method to avoid relying on unsafe-inline, either through configuration adjustments or Angular-specific practices?

Any guidance would be greatly appreciated. Thank you!

I am developing an Angular Single-Page Application (SPA) and aim to enforce strict Content Security Policies (CSP) for enhanced security. However, I’ve encountered an issue where allowing unsafe-inline is required to accommodate inline styles, which conflicts with my security goals. Here’s my current CSP configuration:

Content-Security-Policy:  
  default-src 'self';  
  script-src 'self' fonts.googleapis;  
  style-src 'self' 'unsafe-inline' fonts.googleapis blob:;  
  img-src 'self' data:;  
  font-src 'self' fonts.gstatic;  
  connect-src 'self';  
  block-all-mixed-content;

After researching online and reviewing Stack Overflow, I haven’t found a viable solution to eliminate the need for unsafe-inline. I cannot implement the nonce approach often recommended for bypassing this.

My Question:
Is there an alternative method to avoid relying on unsafe-inline, either through configuration adjustments or Angular-specific practices?

Any guidance would be greatly appreciated. Thank you!

  • html
  • content-security-policy
Share Improve this question asked Mar 8 at 16:49 wuyanzhuwuyanzhu 1
Add a comment  | 

1 Answer 1

Reset to default 0

Start by reading https://scotthelme.co.uk/can-you-get-pwned-with-css/. Then consider if hashes or rewrites/replacements for all you inline styles are worth the effort as your CSP is already blocking most exfiltration.

本文标签: htmlSeeking Alternatives to 39unsafeinline39 for Angular CSP ConfigurationStack Overflow

版权声明:本文标题:html - Seeking Alternatives to 'unsafe-inline' for Angular CSP Configuration - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744891002a2630781.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。