[Question]: Compatibility Issues with new strict CSP Rules and SBB Angular Component Library #2408
Description
Preflight Checklist
- I have read the Contributing Guidelines for this project.
- I agree to follow the Code of Conduct that this project adheres to.
- I have searched the issue tracker for an issue that matches the one I want to file, without success.
Your Question
Is the SBB Angular Component Library compatible with the new strict Content Security Policy (CSP) rules added in the ESTA Blueprint?
Give us a summary about your question
We want to integrate the new CSP rules from the ESTA Blueprint: https://code.sbb.ch/projects/KD_ESTA_BLUEPRINTS/repos/esta-cloud-angular/commits/f099676d56ab8ff7456119f13833ec6d6bef410e#docker%2Fnginx-location.conf
Due to restrictions on inline styles, we’ve been unable to resolve the errors and created a minimal example to identify which components are causing the issue.
It appears that some SBB Angular components are involved. For instance, even with an example that only renders an SBB Checkbox, we still encounter this error.
Example repo: https://code.sbb.ch/projects/AMN_NEON/repos/csp-test/browse
Error:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Is there a proper solution for this? If not, could we add to the documentation that it’s acceptable to relax the inline style restrictions?
Thanks and regards
Provide as much useful information as you can
No response