In this article, we won’t talk about the Content Seccurity Policy (CSP). You already have a lot of awesome documentations, blog posts about this W3C recommendation. The one I prefer is the article written by Mike West on the (also amazing) HTML5Rocks website.
Just to summarize, CSP is a W3C recommendation, that provides a new standard HTTP header (Content-Security-Policy), used to list all resources that browsers is allowed to download on that page. This header is used to prevent cross-site scripting attacks.
- the same domain (for my application scripts)
- code.angularjs.org (for AngularJS)
- jsmp.io (for SystemJS)
- github.jspm.io (for Traceur-runtime)
In the AppEngine Yaml configuration file, I will add this new HTTP header for the URL matching my index.html file :
In fact, If you launch my Angular2 application with this configuration, it won’t work anymore for two reasons.
At the end, your CSP configuration should look like :