Edited answer for @angular/cli>=8.2
From this Github thread, one can use the index property in angular.json to control the generation of the application’s HTML index:
build: {
...
"configurations": {
"production": {
"index": {
"input": "src/index.production.html",
"output": "index.html"
},
...
}
}
}
Original answer
I’ve found a way to have restrictive CSP on my production environment while still being able to use the JTI compliler for development.
- Add a second file:
index.production.htmlto thesrcfolder. - Copy the contents of
index.htmlto that file, and add the restrictive CSP header.
<meta http-equiv="Content-Security-Policy"
content="default-src 'none';
frame-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline';
font-src 'self';
img-src 'self' data:;
connect-src 'self'">
- Then, add to your
angular.jsonthe following:
build: {
...
"configurations": {
"production": {
"fileReplacements": [
{
"replace": "src/index.html",
"with": "src/index.production.html"
}
],
...
}
}
}
This makes sure that when you run a production build, it will use the index.production.html with the restrictive CSP, and when you’re running it locally, you can use the JTI compiler.