test: enable Content Security Policy (CSP) to test the scion-toolkit …

…is CSP compliant The browser will prevent the toolkit testing app from loading if the scion-toolkit or any dependencies violate the CSP policy.
SchweizerischeBundesbahnen · Nov 1, 2024 · 27198c1 · 27198c1
1 parent f1e6909
commit 27198c1
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 4 deletions.
diff --git a/angular.json b/angular.json
@@ -235,7 +235,10 @@
               "buildTarget": "components-app:build:production"
             },
             "development": {
-              "buildTarget": "components-app:build:development"
+              "buildTarget": "components-app:build:development",
+              "headers": {
+                "Content-Security-Policy": "default-src 'self'; connect-src 'self' blob: localhost:*; font-src 'self' https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'nonce-STATIC_NONCE'; script-src 'self' 'nonce-STATIC_NONCE';"
+              }
             }
           },
           "defaultConfiguration": "development"
@@ -321,7 +324,10 @@
               "buildTarget": "components-testing-app:build:production"
             },
             "development": {
-              "buildTarget": "components-testing-app:build:development"
+              "buildTarget": "components-testing-app:build:development",
+              "headers": {
+                "Content-Security-Policy": "default-src 'self'; connect-src 'self' blob: localhost:*; font-src 'self' https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'nonce-STATIC_NONCE'; script-src 'self' 'nonce-STATIC_NONCE';"
+              }
             }
           },
           "defaultConfiguration": "development"

diff --git a/apps/components-testing-app/src/index.html b/apps/components-testing-app/src/index.html
@@ -7,6 +7,6 @@
     <meta name="viewport" content="width=device-width, initial-scale=1">
   </head>
   <body>
-    <app-root></app-root>
+    <app-root ngCspNonce="STATIC_NONCE"></app-root>
   </body>
 </html>
diff --git a/apps/components-testing-app/vercel-test-server.config.json b/apps/components-testing-app/vercel-test-server.config.json
@@ -1,5 +1,14 @@
 {
   "headers": [
+    {
+      "source": "**",
+      "headers": [
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self'; connect-src 'self' blob: localhost:*; font-src 'self' https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'nonce-STATIC_NONCE'; script-src 'self' 'nonce-STATIC_NONCE';"
+        }
+      ]
+    },
     {
       "source": "**",
       "headers": [

diff --git a/apps/components/src/index.html b/apps/components/src/index.html
@@ -8,6 +8,6 @@
     <link rel="icon" type="image/x-icon" href="favicon.ico">
   </head>
   <body>
-    <app-root></app-root>
+    <app-root ngCspNonce="STATIC_NONCE"></app-root>
   </body>
 </html>