Reputation: 263
Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp?
The issue:
When I try to remove unsafe-inline source for script-src CSP my Angular webapp does not work anymore.
What is the root cause of this issue ?
When using SCSS in Angular@12+, Angular add a property onload on the index.html
<link rel="stylesheet" href="styles.672c1ac3d6da8cc311a2.css" media="print" onload="this.media='all'">
This results in a violation of the CSP unsafe-inline source for script-src header.
How to fix this issue and remove this "security breach" on my Angular web app ?
Upvotes: 4
Views: 6049
Answers (3)
Reputation: 61
If you're using Angular Universal (SSR), you must disable inlineCriticalCss in your server.ts file as well
Locate
bootstrap: AppServerModule
And add inlineCriticalCss: false
bootstrap: AppServerModule,
inlineCriticalCss: false
Source: https://github.com/angular/angular/issues/42098#issuecomment-841629552
Upvotes: 0
Reputation: 658
Now on Angular 16 we have a solution for this long waited CSP feature.
https://angular.io/guide/security#content-security-policy
Upvotes: 1
Reputation: 263
The solution:
Adding "inlineCritical": false to the angular.json solved the issue because it disable Critical CSS inlining.
"configurations": {
"production": {
"optimization": {
"styles": {
"inlineCritical": false
}
}
}
}
Why Angular does that?
When the browser renders a page, it has to wait for the CSS resources to be downloaded and parsed. It can give the (false) impression that the loading of your application is slow, and impacts the First Contentful Paint (FCP) time.
A common technique to avoid that is to inline the CSS directly in the HTML, to avoid an extra request (this is what Lighthouse recommends). But you don’t want to inline all your CSS, otherwise the time to download the HTML increases. You just want to inline critical CSS resources, the ones that blocks the rendering, and that your user will see (you can defer the rest of CSS).
The Angular CLI introduces a new option in v11.1 to help us with this: inlineCSS
The CLI will then use critters under the hood to extract the critical CSS of your application, and inline them directly in the HTML.
Running ng build --prod with the above configuration produces an index.html file with a style element containing the critical CSS extracted, and the usual styles.xxxxx.css is loaded asynchronously using:
<link rel="stylesheet" href="styles.3d6bb69e3d075769b349.css" media="print" onload="this.media='all'">
For more informations about the unsafe-inline CSP keyword: https://content-security-policy.com/unsafe-inline/
Upvotes: 9
Related Questions
- Content Security Policy blocks Angular Styles
- Angular: avoid inline javascript
- CSP style-src: 'unsafe-inline' - is it worth it?
- Error no angular: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"
- Content Security Policy - style-src does not prevent inline styles
- Avoiding `script-src 'unsafe-inline'` with Content-Security-Policy and JavaScript
- In CSP, what's unsafe about 'unsafe-inline'?
- CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements
- "inline-style"-Error with Content Security Policy and Javascript
- CSP 2.0 (unsafe-inline) and Angular