Add logic to disable CSP-incompatible features on app boot

Set the `ng-csp` attribute on the document body on app startup before Angular is loaded to avoid triggering warnings when app.html is served with Content Security Policy headers. This used to be done via an `ng-csp` attribute on the <body> tag in the app.html file served by the `h` service but this moves it to client code to avoid the service needing to know this implementation detail of the client app.

Add logic to disable CSP-incompatible features on app boot
Set the `ng-csp` attribute on the document body on app startup before Angular is loaded to avoid triggering warnings when app.html is served with Content Security Policy headers. This used to be done via an `ng-csp` attribute on the <body> tag in the app.html file served by the `h` service but this moves it to client code to avoid the service needing to know this implementation detail of the client app.
ef07a771 · Robert Knight · ae3f3114 · ef07a771
Commit ef07a771 authored Jul 19, 2016 by Robert Knight
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

app.js h/static/scripts/app.js +8 -0

No files found.
--- a/h/static/scripts/app.js
+++ b/h/static/scripts/app.js
@@ -15,6 +15,14 @@ if (settings.raven) {
  raven.init(settings.raven);
 }

+// Disable Angular features that are not compatible with CSP.
+//
+// See https://docs.angularjs.org/api/ng/directive/ngCsp
+//
+// The `ng-csp` attribute must be set on some HTML element in the document
+// _before_ Angular is require'd for the first time.
+document.body.setAttribute('ng-csp', '');
+
 var angular = require('angular');

 // autofill-event relies on the existence of window.angular so