Tools.isBrower doesn't support Content Security Policy
Confusedfish opened this issue · comments
The use of new Function() within tools.ts isBroswer() results in an eval function being used which means that any project using ng-sidebar cannot use a restrictive CSP header.
To reproduce the problem:
ng new csp-test
Edit index.htm to include:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self' ws://localhost:4200; font-src 'self';">
Reference ng_sidebar and use AOT:
ng serve --aot
You will get errors in the browser when it blocks the eval function.
I do not understand the function or would make a fix & pull request but for my local version have just used return true; to sidestep the issue. Perhaps you know of another way to determine if the code is running inBrowser without the use of new Function()?
The function was written that way to avoid it crashing in Node.js contexts (i.e. SSR), but also written before Angular provided a way of checking the context.
It'll need to be updated to make use of PLATFORM_ID
from @angular/core
/ isPlatformBrowser
from @angular/common
.
I'll try to get around to it within the next few days, but I'll also happily accept PRs. :)