Reputation: 29
Angular AG Grid - Content Security Policy (CSP) Nonce
While applying CSP nonce for scripts and styles, I ran into a problem for ag-grid (https://www.ag-grid.com/). I followed approach mentioned in angular csp documentation (https://angular.dev/best-practices/security#content-security-policy). I've set the ngCspNonce attribute on the root application element. I see console errors as shown below. Nonce was working for all controls except ag-grid.
Clicking on dom.mjs showing below script is blocked.
Please advise how to make Content Security Policy Nonce to work for ag-grid.
Upvotes: 0
Views: 296
Answers (1)
Reputation: 17758
It's not possible to use the CSP style-src nonce policy with AG Grid. To cite the docs:
The style-src policy requires the unsafe-inline due to the DOM Row and Column Virtualisation. The technique the grid uses to display position rows requires explicit positioning of the rows and columns. This positioning is only possible using CSS style attributes to set explicit X and Y positions. This is a feature that all data grids have. Without it, the data grid would have a very low limit on the amount of data that could be displayed
Upvotes: 1
Related Questions
- How to add nonce attribute in Angular 16 for scripts and styles created dynamically?
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Jenkins Content Security Policy
- NextJS Content Security Policy (CSP)
- How does Content Security Policy (CSP) work?
- PHP / Mustache / CSP : scripts blocked by CSP despite use of nonce
- How to configure CSP in nginx using nonce approach in angular?
- Make Angular working with restrictive Content Security Policy (CSP)
- Angular 12 CSS optimization inline event handler with Content Security Policy
- How to whitelist dynamically created scripts in a WebForms project using CSP (Content Security Policy)?