ngx-slider is not compatible with the default, recommended content-security-policy

Question

ngx-slider is not compatible with the default, recommended content-security-policy

roldengarm opened this issue 2 years ago · 1 comments

I've configured the recommended content-security-policy, and then I'm getting this error:

Failed to set the 'innerHTML' property on 'Element': This document requires 'TrustedHTML' assignment.

Our CSP is configured as per Angular's recommendation:

trusted-types angular angular#bundler; require-trusted-types-for 'script'; default-src 'self'; script-src 'self' 'unsafe-hashes' 'sha256-MhtPZXr7+LpJUY5qtMutB+qWfQtMaPccfe7QXtCcEYc='; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-src 'self' ; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; frame-ancestors 'none'; form-action 'self

Even adding angular#unsafe-bypass as trusted-type doesn't work. This is a security concern