Describe the problem that you experienced
In the Security page it says "If you want to inline the critical CSS of your application, you can not use the CSP_NONCE token, and should prefer the autoCsp option or set the ngCspNonce attribute on the root application element.".
When I configure autoCSP in angular.json it generates the following meta tag in index.html:
It does not contain any configuration for style-src.
If I add an inline style element it does not break when I view the page.
If I add a style-src without unsafe-inline it breaks.
If I add an inline script element it breaks the script-src rule in the meta tag as expected.
Using ngCspNonce and then adding style-src with the same nonce I can make a CSP rule without unsafe-inline.
So for inline CSS without style-src unsafe-inline ngCspNonce works for me but not autoCSP,
So either I'm missing something about how to configure autoCSP for inline CSS or the documentation is incorrect.
Enter the URL of the topic with the problem
https://angular.dev/best-practices/security#content-security-policy
Describe what you were looking for in the documentation
Documentation about how to configure CSP without unsafe-inline
Describe the actions that led you to experience the problem
No response
Describe what you want to experience that would fix the problem
No response
Add a screenshot if that helps illustrate the problem
No response
If this problem caused an exception or error, please paste it here
If the problem is browser-specific, please specify the device, OS, browser, and version
Provide any additional information here in as much as detail as you can
Describe the problem that you experienced
In the Security page it says "If you want to inline the critical CSS of your application, you can not use the CSP_NONCE token, and should prefer the autoCsp option or set the ngCspNonce attribute on the root application element.".
When I configure autoCSP in angular.json it generates the following meta tag in index.html:
It does not contain any configuration for style-src.
If I add an inline style element it does not break when I view the page.
If I add a style-src without unsafe-inline it breaks.
If I add an inline script element it breaks the script-src rule in the meta tag as expected.
Using ngCspNonce and then adding style-src with the same nonce I can make a CSP rule without unsafe-inline.
So for inline CSS without style-src unsafe-inline ngCspNonce works for me but not autoCSP,
So either I'm missing something about how to configure autoCSP for inline CSS or the documentation is incorrect.
Enter the URL of the topic with the problem
https://angular.dev/best-practices/security#content-security-policy
Describe what you were looking for in the documentation
Documentation about how to configure CSP without unsafe-inline
Describe the actions that led you to experience the problem
No response
Describe what you want to experience that would fix the problem
No response
Add a screenshot if that helps illustrate the problem
No response
If this problem caused an exception or error, please paste it here
If the problem is browser-specific, please specify the device, OS, browser, and version
Provide any additional information here in as much as detail as you can