"TypeError: link.prev?.setAttribute is not a function" upon rendering any page with "ngCspNonce" set.

Question

"TypeError: link.prev?.setAttribute is not a function" upon rendering any page with "ngCspNonce" set.

majoer opened this issue 10 months ago · 1 comments

majoer commented 10 months ago

🐞 Bug report

What modules are related to this issue?

builders
common
express-engine

Is this a regression?

I don't think so, as the CSP feature was added in 16

Description

We started using the "ngCspNonce" attribute when we upgraded to Angular 16. The application builds and starts, but upon sending a request to a SSR page we get an "Internal server error" in the browser. The console also displays an error message:


TypeError: link.prev?.setAttribute is not a function

The same bug was reported in @angular-devkit/build-angular here:

This is the PR where they fixed it: angular/angular-cli#25584
After this fix was released I expected our app to work, but I found angular universal has its own version of "inline-css-processor.ts" here:
https://github.com/angular/universal/blob/5974f8e769e75023cacbf0cc52f7c1a6ae534f45/modules/common/tools/src/inline-css-processor.ts#L157C21-L157C21

I believe the fix should be applied to Angular Universal as well.

🔬 Minimal Reproduction

Add "ngCspNonce" to the app-root as explained in: https://angular.io/guide/security#content-security-policy
Add some external style-sheets as links in index.html.
Set inlineCritical": true in angular.json
build and run with SSR

Here is the repo i made for the issue I reported in angular-cli. The same setup should yield the same problem in angular universal: https://github.com/majoer/angular-csp-link-bug

🔥 Exception or Error


TypeError: link.prev?.setAttribute is not a function

🌍 Your Environment


Angular CLI: 16.2.0
Node: 16.17.0
Package Manager: npm 8.15.0
OS: linux x64

 

Angular: 16.2.0
... animations, cdk, cli, common, compiler, compiler-cli, core
... forms, language-service, localize, material
... material-moment-adapter, platform-browser
... platform-browser-dynamic, platform-server, router

 

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1602.0
@angular-devkit/build-angular   16.2.0
@angular-devkit/core            16.2.0
@angular-devkit/schematics      16.2.0
@nguniversal/builders           16.2.0
@nguniversal/express-engine     16.2.0
@schematics/angular             16.2.0
rxjs                            7.8.1
typescript                      4.9.5
zone.js                         0.13.1

Answer 1 · 2023-09-17T00:09:40.000Z

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}