Skip to content

Content Security Policy and SPAs #32405

Open
Enhancement
Open
Content Security Policy and SPAs#32405
Enhancement
Labels
angular/build:applicationarea: @angular/buildfeatureLabel used to distinguish feature request from other issuesfeature: votes requiredFeature request which is currently still in the voting phase
@jgtestw

Description

@jgtestw
jgtestw
opened on Feb 2, 2026

Which @angular/* package(s) are relevant/related to the feature request?

No response

Description

Currently CSP and SPAs don't work well together.

There is however something very simple we could do to make CSP 100% compatible with SPA.

Proposed solution

When Angular builds the app, also output a file called hashes.json. This file contains a list of hashes of all of the bootstrap js scripts. Then, in your backend, say asp.net core, you read this file and add the hashes to your CSP header.

This would be a very simple change that would make a lot of people's lives much easier.

Alternatives considered

  • AutoCSP is not ideal because it uses the meta tag, not http headers.
  • Setting the nonce to CSP_NONCE doesn't work with strict-dynamic.
  • Setting the nonce in index.html breaks caching.

Metadata

Metadata

Assignees

No one assigned

    Labels

    angular/build:applicationarea: @angular/buildfeatureLabel used to distinguish feature request from other issuesfeature: votes requiredFeature request which is currently still in the voting phase

    Type

    Enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions