Skip to content

fix(@angular/build): normalize line endings for CSP hash generation#32712

Merged
clydin merged 1 commit intoangular:mainfrom
alan-agius4:auto-csp
Mar 6, 2026
Merged

fix(@angular/build): normalize line endings for CSP hash generation#32712
clydin merged 1 commit intoangular:mainfrom
alan-agius4:auto-csp

Conversation

@alan-agius4
Copy link
Collaborator

@alan-agius4 alan-agius4 commented Mar 6, 2026

When autoCsp reads an index.html with CRLF line endings, it generates hashes based on the CRLF content. However, the transformed file is always written with LF line endings, causing CSP violations.

This commit ensures that script content line endings are normalized to LF before hashing to match the output file.

Closes #32709

@alan-agius4 alan-agius4 requested a review from clydin March 6, 2026 07:57
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release and removed area: @angular/build labels Mar 6, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses an issue with Content Security Policy (CSP) hash generation for files using CRLF line endings by normalizing script content to LF before hashing. However, the current approach misses standalone carriage returns (CR), which also require robust normalization to prevent potential CSP violations. Additionally, a security vulnerability was identified in the shouldDynamicallyLoadScriptTagBasedOnType function, allowing for potential Cross-Site Scripting (XSS) via malicious type attributes in script tags; tightening the validation of script types is recommended to mitigate this risk. The pull request also includes several beneficial refactorings in the test suite.

@alan-agius4
fix(@angular/build): normalize line endings for CSP hash generation
35f5d00 
When `autoCsp` reads an `index.html` with CRLF line endings, it generates hashes based on the CRLF content. However, the transformed file is always written with LF line endings, causing CSP violations.

This commit ensures that script content line endings are normalized to LF before hashing to match the output file.

Closes angular#32709
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 6, 2026
@clydin clydin merged commit 6324133 into angular:main Mar 6, 2026
36 checks passed
@clydin
Copy link
Member

clydin commented Mar 6, 2026

This PR was merged into the repository. The changes were merged into the following branches:

@alan-agius4 alan-agius4 deleted the auto-csp branch March 6, 2026 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clydin clydin clydin approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/build target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AutoCsp generates invalid hash for inline script in index.html if CRLF

2 participants

@alan-agius4 @clydin