b950d4675f
If [innerHTML] is used in a component and a Content-Security-Policy is set that does not allow inline styles then Firefox and Chrome show the following message: > Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent. This message is caused because Angular is creating an inline style tag to test for a browser bug that we use to decide what sanitization strategy to use, which causes CSP violation errors if inline CSS is prohibited. This test is no longer necessary, since the `DOMParser` is now safe to use and the `style` based check is redundant. In this fix, we default to using `DOMParser` if it is available and fall back to `createHTMLDocument()` if needed. This is the approach used by DOMPurify too. The related unit tests in `html_sanitizer_spec.ts`, "should not allow JavaScript execution when creating inert document" and "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", are left untouched to assert that the behavior hasn't changed in those scenarios. Fixes #25214. PR Close #36578
Angular
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages.
Quickstart
Changelog
Learn about the latest improvements.
Want to help?
Want to file a bug, contribute some code, or improve documentation? Excellent! Read up on our guidelines for contributing and then check out one of our issues in the hotlist: community-help.