From 025cf9302b612bd288846030ebe6d5537c1fa483 Mon Sep 17 00:00:00 2001 From: Bjarki Date: Wed, 7 Jul 2021 17:05:35 +0000 Subject: [PATCH] build(docs-infra): send CSP reports for Trusted Types violations (#42800) Configure Firebase to serve a CSP header on angular.io that enables Trusted Types in report-only mode. This causes any Trusted Types violations that may occur as users browser angular.io to generate a CSP report that is sent to csp.withgoogle.com, where it is processed by Google's CSP report collector. This is a non-breaking change that allows us to evaluate whether angular.io is fully compatible with Trusted Types, at which point we can start enforcing Trusted Types. PR Close #42800 --- aio/firebase.json | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/aio/firebase.json b/aio/firebase.json index 33718c9abaf78..9a440bfffc880 100644 --- a/aio/firebase.json +++ b/aio/firebase.json @@ -195,6 +195,27 @@ } ], "headers": [ + { + // All URLs + "source": "**", + "headers": [ + // Report Trusted Types violations + { + "key": "Content-Security-Policy-Report-Only", + + // The following Trusted Types policies are allowed: + // - angular: Angular's main internal policy. Defined in the `@angular/core` package. + // - angular#bundler: Used by Angular's bundler. Defined in the `webpack` package, enabled by `@angular-devkit/build-angular`. + // - angular#unsafe-bypass: For bypassSecurityTrust* usage. Defined in the `@angular/core` package. + // - aio#analytics: For the Google Analytics snippet. Defined in `index.html`. + // - google#safe: Used by the safevalues library. Defined in the `safevalues` package. + + // csp.withgoogle.com is Google's CSP report collecting + // infrastructure. + "value": "require-trusted-types-for 'script'; trusted-types angular angular#bundler angular#unsafe-bypass aio#analytics google#safe; report-uri https://csp.withgoogle.com/csp/angular.io" + } + ] + }, { // All paths (URLs without a file extension). "source": "**/!(*.*)",