From 5e755fff9d70a7fd3c4f85bb524f1b774dd85b25 Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Thu, 13 Dec 2018 09:49:45 +0100 Subject: add Content Security Policy (#1252) * add Content Security Policy * remove reflect-metadata on production builds to get rid of unsafe-eval * fix baseCSP usage * add SRI to CSP * add blob: to media-src * remove SRI * CSP set to reportOnly * adding data: to connect-src CSP * remove block-all-mixed-content * add report-uri support --- client/src/environments/environment.ts | 7 +++++++ client/src/polyfills.ts | 8 +++++++- 2 files changed, 14 insertions(+), 1 deletion(-) (limited to 'client/src') diff --git a/client/src/environments/environment.ts b/client/src/environments/environment.ts index 5bb6f4b34..1ea483554 100644 --- a/client/src/environments/environment.ts +++ b/client/src/environments/environment.ts @@ -2,6 +2,13 @@ // `ng build --env=prod` then `environment.prod.ts` will be used instead. // The list of which env maps to which file can be found in `.angular-cli.json`. +// Reflect.metadata polyfill is only needed in the JIT/dev mode. +// +// In order to load these polyfills early enough (before app code), polyfill.ts imports this file to +// to change the order in the final bundle. +import 'core-js/es6/reflect' +import 'core-js/es7/reflect' + export const environment = { production: false, hmr: false, diff --git a/client/src/polyfills.ts b/client/src/polyfills.ts index 5dff18632..368908432 100644 --- a/client/src/polyfills.ts +++ b/client/src/polyfills.ts @@ -45,7 +45,13 @@ import 'core-js/es7/object' /** IE10 and IE11 requires the following for the Reflect API. */ // For Google Bot -import 'core-js/es6/reflect' +// import 'core-js/es6/reflect'; // --> dealt with in src/environment.ts + +/** + * Evergreen browsers require these. + */ +// Used for reflect-metadata in JIT. If you use AOT (and only Angular decorators), you can remove. +// import 'core-js/es7/reflect' // --> dealt with in src/environment.ts /** * Required to support Web Animations `@angular/platform-browser/animations`. -- cgit v1.2.3