Description
My application is facing issues due to having a restricted CSP policy that does not allow unsafe-eval for scripts. When I add a Content-Security-Policy header without unsafe-eval, my application fails to load.
Minimal Reproduction
The restrictive CSP header is being passed through the nginx proxy configuration file.
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'
I have removed the unsafe-eval which is causing the application loading issue.
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'
To reproduce this error, you can directly add this CSP in the index.html file.
<meta http-equiv="Content-Security-Policy" content= "default-src 'self' 'nonce-$request_id' ; script-src 'self' 'nonce-$request_id' ; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';">
My project uses Angular version 9 with ahead-of-time (AOT) compilation enabled.
Exception or Error
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-17279687d574ebf5358210888e9e9395'".
at new Function (<anonymous>)
at b.N (vendor.c63b596435f6d085789d.js:1)
at b.c (vendor.c63b596435f6d085789d.js:1)
at Object.D [as resolveRef] (vendor.c63b596435f6d085789d.js:1)
at Object.t.exports [as code] (vendor.c63b596435f6d085789d.js:1)
at Object.t.exports [as validate] (vendor.c63b596435f6d085789d.js:1)
at Object.t.exports [as code] (vendor.c63b596435f6d085789d.js:1)
at t.exports (vendor.c63b596435f6d085789d.js:1)
at N (vendor.c63b596435f6d085789d.js:1)
at b.t (vendor.c63b596435f6d085789d.js:1
Your Environment
Angular Version: Angular CLI: 9.1.13 Node: 16.2.0 OS: win32 x64
Angular: 9.1.13