nhcarrigan/library
9
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests 54 Actions Releases 3 Activity

fix: resolve CSP and accessibility issues
Node.js CI / CI (pull_request) Successful in 1m20s
Details
Security Scan and Upload / Security & DefectDojo Upload (pull_request) Successful in 1m24s
Details

Browse Source 
- Allow inline styles in CSP for Angular component encapsulation
- Hide skip-to-main-content link using screen-reader-only pattern
- Add JavaScript handler for skip link to work across all routes
- Add eslint-disable comments for intentional design choices
This commit is contained in:
Hikari
2026-02-20 02:06:30 -08:00
committed by Naomi Carrigan
parent 888a3fbd97
commit d17721aa91
12 changed files with 463 additions and 376 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/src/app/plugins/helmet.ts
+2 -3
View File
@@ -13,9 +13,8 @@ const helmetPlugin: FastifyPluginAsync = async (app) => {
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
// Remove unsafe-inline for better security
// Angular uses inline styles in development, but production builds should use external CSS
styleSrc: ["'self'", process.env.NODE_ENV === "production" ? "'self'" : "'unsafe-inline'"],
// Angular uses inline styles for component encapsulation, so we need to allow them
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
scriptSrc: ["'self'"],
connectSrc: ["'self'", process.env.FRONTEND_URL ?? "http://localhost:4200"],