I'm submitting a ...
Current behavior:
If ngSanitize is added as a module dependency and a Content-Security-Policy is set that does not allow inline styles then Firefox shows the following message:
Content Security Policy: The page’s settings observed the loading of a resource at self (“default-src”). A CSP report is being sent.
Our CSP looks like this:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /foo
If ngSanitize is removed from the module dependencies then the CSP message disappears as well.
Expected / new behavior:
ngSanitize should work in Firefox without triggering CSP alerts, at least if the "ng-csp" mode is enabled.
Minimal reproduction of the problem with instructions:
AngularJS version: 1.6.9
Browser: Firefox 60.0a1 and 59.0b10
Anything else:
I guess the following code triggers the CSP alert, since it adds an inline