mirror of https://github.com/abpframework/abp
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57 lines
1.5 KiB
57 lines
1.5 KiB
# ContentSecurityStrategy
|
|
|
|
`ContentSecurityStrategy` is an abstract class exposed by @abp/ng.core package. It helps you mark inline scripts or styles as safe in terms of [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
|
|
|
|
|
|
|
|
|
|
## API
|
|
|
|
|
|
### constructor(public nonce?: string)
|
|
|
|
- `nonce` enables whitelisting inline script or styles in order to avoid using `unsafe-inline` in [script-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script) and [style-src](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src#Unsafe_inline_styles) directives.
|
|
|
|
|
|
### applyCSP(element: HTMLScriptElement | HTMLStyleElement): void
|
|
|
|
This method maps the aforementioned properties to the given `element`.
|
|
|
|
|
|
|
|
|
|
## LooseContentSecurityPolicy
|
|
|
|
`LooseContentSecurityPolicy` is a class that extends `ContentSecurityStrategy`. It requires `nonce` and marks given `<script>` or `<style>` tag with it.
|
|
|
|
|
|
|
|
|
|
## NoContentSecurityPolicy
|
|
|
|
`NoContentSecurityPolicy` is a class that extends `ContentSecurityStrategy`. It does not mark inline scripts and styles as safe. You can consider it as a noop alternative.
|
|
|
|
|
|
|
|
|
|
## Predefined Content Security Strategies
|
|
|
|
Predefined content security strategies are accessible via `CONTENT_SECURITY_STRATEGY` constant.
|
|
|
|
|
|
### Loose(nonce: string)
|
|
|
|
`nonce` will be set.
|
|
|
|
|
|
### None()
|
|
|
|
Nothing will be done.
|
|
|
|
|
|
|
|
|
|
## What's Next?
|
|
|
|
TODO: Place new ContentStrategy link here.
|