fix(@angular/build): normalize line endings for CSP hash generation#32712
fix(@angular/build): normalize line endings for CSP hash generation#32712clydin merged 1 commit intoangular:mainfrom
Conversation
alan-agius4
added
action: review
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses an issue with Content Security Policy (CSP) hash generation for files using CRLF line endings by normalizing script content to LF before hashing. However, the current approach misses standalone carriage returns (CR), which also require robust normalization to prevent potential CSP violations. Additionally, a security vulnerability was identified in the shouldDynamicallyLoadScriptTagBasedOnType function, allowing for potential Cross-Site Scripting (XSS) via malicious type attributes in script tags; tightening the validation of script types is recommended to mitigate this risk. The pull request also includes several beneficial refactorings in the test suite.
When `autoCsp` reads an `index.html` with CRLF line endings, it generates hashes based on the CRLF content. However, the transformed file is always written with LF line endings, causing CSP violations. This commit ensures that script content line endings are normalized to LF before hashing to match the output file. Closes angular#32709
alan-agius4
added
action: merge
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
2 participants
When
autoCspreads anindex.htmlwith CRLF line endings, it generates hashes based on the CRLF content. However, the transformed file is always written with LF line endings, causing CSP violations.This commit ensures that script content line endings are normalized to LF before hashing to match the output file.
Closes #32709