Update CSP to support FAST

angular-workspace/projects/example-client-app/karma.conf.js

@@ -49,11 +49,13 @@ module.exports = function (config) {
       // Need script-src 'unsafe-inline' to support karma behavior
       // See https://github.com/karma-runner/karma/issues/3260
       // Need script-src 'unsafe-eval' to support running in Angular tests
+      // Need style-src 'unsafe-inline' to support FAST
+      // See: https://github.com/microsoft/fast/issues/4510
       // Need worker-src blob: to support current worker loading pattern
       {
           match: '\\.html',
           name: 'Content-Security-Policy',
-          value: "default-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob: ;"
+          value: "default-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob: ;"
       }
   ]
   });

angular-workspace/projects/ni/nimble-angular/karma.conf.js

@@ -55,11 +55,13 @@ module.exports = config => {
             // Need script-src 'unsafe-inline' to support karma behavior
             // See https://github.com/karma-runner/karma/issues/3260
             // Need script-src 'unsafe-eval' to support running in Angular tests
+            // Need style-src 'unsafe-inline' to support FAST
+            // See: https://github.com/microsoft/fast/issues/4510
             // Need worker-src blob: to support current worker loading pattern
             {
                 match: '\\.html',
                 name: 'Content-Security-Policy',
-                value: "default-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob: ;"
+                value: "default-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob: ;"
             }
         ]
     });

packages/nimble-components/karma.conf.js

@@ -152,12 +152,14 @@ module.exports = config => {
             // Test under the OWASP Basic non-strict CSP Policy
             // See: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#basic-non-strict-csp-policy
             // Need script-src 'unsafe-inline' to support karma behavior
-            // See https://github.com/karma-runner/karma/issues/3260
+            // See: https://github.com/karma-runner/karma/issues/3260
+            // Need style-src 'unsafe-inline' to support FAST
+            // See: https://github.com/microsoft/fast/issues/4510
             // Need worker-src blob: to support current worker loading pattern
             {
                 match: '\\.html',
                 name: 'Content-Security-Policy',
-                value: "default-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; worker-src 'self' blob: ;"
+                value: "default-src 'self'; frame-ancestors 'self'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob: ;"
             }
         ]
     };