Angular-cli: Feature request: Flag for subresource integrity crossorigin behavior

Created on 9 May 2018  路  5Comments  路  Source: angular/angular-cli

Currently, using the --subresource-integrity flag adds the attribute crossorigin="anonymous" to all link/script tags. I just opened a ticket with the Microsoft Edge team because they do not handle this correctly on script tags:
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17438887/
This prevents Edge from passing credentials to load scripts even when the script is not cross origin (though it does not present an issue for the links for css).

Is it possible to add an option to configure this in option during build? As far as I can tell there is no way to use crossorigin="use-credentials" or leave the attribute out entirely if you use --subresource-integrity. For now I'll have to remove --subresource-integrity from our builds, but I'd like to add it back if we can specify how to configure the crossorigin attribute (or leave it out).

devkibuild-angular feature
Source
picture dcbroad3

Most helpful comment

With Angular 8 we have a similar issue. One of the quirks of the introduced es-2015 modules is that they don't send credentials by default anymore (https://github.com/whatwg/html/issues/2557).
Since our stage environment is secured via basic authentication which also uses deployUrl to get all angular resources from another domain, we also need a way of adding the attribute crossorigin="use-credentials" during the build process.

picture koenig-dominik on 3 Jun 2019
👍3

All 5 comments

This issue has been fixed now in Microsoft Edge 42.17134.1.0, however IE11 does still have the same issue, so my request stands.

dcbroad3 picture dcbroad3 on 6 Jun 2018

With Angular 8 we have a similar issue. One of the quirks of the introduced es-2015 modules is that they don't send credentials by default anymore (https://github.com/whatwg/html/issues/2557).
Since our stage environment is secured via basic authentication which also uses deployUrl to get all angular resources from another domain, we also need a way of adding the attribute crossorigin="use-credentials" during the build process.

koenig-dominik picture koenig-dominik on 3 Jun 2019
👍3

As of Angular CLI 8.2, the CLI supports a crossOrigin option which can be used with or without SRI.

clydin picture clydin on 20 Sep 2019

@clydin adding --cross-origin to my deploy script is throwing an error:
Unknown option: '--cross-origin'
Adding crossOrigin to angular.json throws this error:
Data path "" should NOT have additional properties(crossOrigin)

Any idea how to solve this?

I'm on Angular CLI 8.3.9

Thanks!

azizantoun picture azizantoun on 14 Oct 2019

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_This action has been performed automatically by a bot._

angular-automatic-lock-bot[bot] picture angular-automatic-lock-bot[bot] on 14 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ericel picture ericel  路  3Comments
naveedahmed1 picture naveedahmed1  路  3Comments
5amfung picture 5amfung  路  3Comments
gotschmarcel picture gotschmarcel  路  3Comments
hareeshav picture hareeshav  路  3Comments