TechQA.

Angular ServiceWorker fails with TrustedTypes

136 views Asked by At

For a single SPA Angular application, I want to use service workers ; but it conflicts with my CSP security rules...

main.ts:5 This document requires 'TrustedScriptURL' assignment.

Service worker registration failed with: TypeError: Failed to execute 'register' on 'ServiceWorkerContainer': This document requires 'TrustedScriptURL' assignment.

I tried to fix it with DOMPurify, then withcustom trusted-types policy, but without success...

Dependencies :

  • trusted-types 2.0.0
  • angular 16.2.6

app.config.ts

// [...]
import {trustedTypes} from 'trusted-types';

const myPolicy = trustedTypes.createPolicy('custom', {
  createScriptURL(dirty) {
    return dirty;
  },
})
export const appConfig: ApplicationConfig = {
  providers: [
    // [...]
    provideServiceWorker(myPolicy.createScriptURL(`/ngsw-worker.js`) as unknown as string, {
      enabled: !isDevMode(),
      registrationStrategy: 'registerWhenStable:30000',
    }),
  ],
};

CSP headers

require-trusted-types-for 'script'; trusted-types custom dompurify angular angular#bundler;

I don't know what I'm missing here :/

Thanks !

angular angular-service-worker trusted-types
Original Q&A
1

There are 1 answers

0
Joseph Simpson On

https://github.com/angular/angular/issues/45145 explains

Since navigator.serviceWorker.register() is considered an injection sink and you are using Trusted Types in your app, you must ensure that the string used to specify the SW script is trusted. How to do this depends on how you implement your policies.

and points to Angular.io as an example of a PWA that has solved this.

As advised, I installed the https://www.npmjs.com/package/safevalues package and made the relevant changes:

app.module.ts:

ServiceWorkerModule.register(
      unwrapResourceUrl(trustedResourceUrl`ngsw-worker.js`) as string,
      {
        enabled: environment.production,
        // Register the ServiceWorker as soon as the application is stable
        // or after 30 seconds (whichever comes first).
        registrationStrategy: "registerWhenStable:30000",
      }
    ),

After that, you just need to add "google#safe" to the trusted-types region of your CSP, e.g.

Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; script-src 'self' 'unsafe-inline'; trusted-types angular angular#bundler google#safe; require-trusted-types-for 'script'; font-src fonts.gstatic.com; frame-ancestors 'none';

Related Questions in ANGULAR

Related Questions in ANGULAR-SERVICE-WORKER

Related Questions in TRUSTED-TYPES

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions