Angular-cli: feat: support adding 'crossorigin' attribute

Created on 8 Aug 2017  路  5Comments  路  Source: angular/angular-cli

Bug Report or Feature Request (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x] feature request

Versions.

@angular/cli: 1.3.0-rc.5
node: 6.11.0
os: win32 x64

Desired functionality.

Add a build/serve option that adds crossorigin="anonymous" to generated script and style tags.
Adding this attribute will make the request without cookies which are probably an unnecessary overhead on these requests.

This feature can be used if there's no option to use a cookie-less domain.

3 (nice to have)
Source
picture tzachov
👍3

Most helpful comment

The crossorigin attributes are added to scripts when the SRI option is enabled. This allows for useful error messaging within the browser console. The attribute controls the presence of error information for "classic" scripts (i.e., not type="module"). No credentials should be sent if the attribute is not present (spec reference) since the "missing default value" is no CORS which would cause a credential mode of "omit".

picture clydin on 5 Feb 2019
👍2

All 5 comments

My app's assets are hosted on a CDN. I pass the CDN's URL with the --deploy-url option.

I think the lack of attribute crossorigin on the generated script tags means that I get a Script error any time an error is thrown in one of the bundles.

https://scotch.io/bar-talk/what-the-heck-is-script-error

axelboc picture axelboc on 21 Dec 2018
👍1

Hi, for this you can use the subresource-integrity flag which also enables the use of subresource integrity validation.

https://angular.io/cli/build

alan-agius4 picture alan-agius4 on 5 Feb 2019

Not sure how this relates to subresource integrity, sorry.

axelboc picture axelboc on 5 Feb 2019

The crossorigin attributes are added to scripts when the SRI option is enabled. This allows for useful error messaging within the browser console. The attribute controls the presence of error information for "classic" scripts (i.e., not type="module"). No credentials should be sent if the attribute is not present (spec reference) since the "missing default value" is no CORS which would cause a credential mode of "omit".

clydin picture clydin on 5 Feb 2019
👍2

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_This action has been performed automatically by a bot._

angular-automatic-lock-bot[bot] picture angular-automatic-lock-bot[bot] on 9 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sysmat picture sysmat  路  3Comments
gotschmarcel picture gotschmarcel  路  3Comments
rwillmer picture rwillmer  路  3Comments
jmurphzyo picture jmurphzyo  路  3Comments
5amfung picture 5amfung  路  3Comments