Which environments allow eval but not inline CSS?

This is mostly useful for sites with custom CSP headers, not for a certain environment like a browser extensions.

We prohibit inline styles on our projects but on some we're not ready to give up the performance increase eval offers. The resulting warning is mostly annoying but it also looks kinda unprofessional when a visitor happens to look into the console. It's also annoying because we happen to log these errors on the server.

Any news or feedback on this?

Checking with the core team...

What's the goal here? Size reduction or avoiding an exception/warning from CSP? If it's the latter then we should look into how we could avoid it via ng-csp attribute. If size reduction is the goal then I don't think it's worth it because the css is tiny.

I believe the goal is the latter. @IgorMinar Are you saying that we could make ng-csp configurable so that it could allow eval while restricting inline CSS?

Yeah
On Sep 5, 2014 10:57 AM, "Pete Bacon Darwin" notifications@github.com
wrote:

I believe the goal is the latter. @IgorMinar
https://github.com/IgorMinar Are you saying that we could make ng-csp
configurable so that it could allow eval while restricting inline CSS?

—
Reply to this email directly or view it on GitHub
#8459 (comment).

OK, so I took a look into this. I think that there is a reasonable work around for this specific case that doesn't require a change to the Angular build or code.

The key is to trick the $sniffer service into thinking that CSP mode is not enabled. The parser calls this to determine whether to use eval or not.

• use ng-csp in your HTML to ensure that the inline CSS is not injected. This will also prevent the CSP automatic detection routine from running.

<html ng-csp>

• decorate the $sniffer to override the .csp() method, so that it returns false:

angular.module('app', []).
decorate('$sniffer', function($delegate) {
  $delegate.csp = function() { return false; };
  return $delegate;
});

I haven't yet tested this code but you might want to give it a try.

That will also disable fn generation that speeds up dirty-checking, which might not be desirable.

From looking at the code, I don't think so:
https://github.com/angular/angular.js/blob/master/src/ng/parse.js#L1014

The parser checks $sniffer.csp and disables fn generation only if this is true.

Actually my code is slightly wrong since $sniffer.csp is actually a property not a function...

angular.module('app', []).
decorate('$sniffer', function($delegate) {
  $delegate.csp = false;
  return $delegate;
});

@realityking - is my workaround good enough for you?

@petebacondarwin I probably won't be able to test this until the weekend as we're in the middle of a bigger release rigth now.

No problem.

I finally got a chance to test this. Your workaround works completely fine. There's no warning about styles being inserted and I manually checked that function generation is still used. While I think my solution is more elegant, this is completely serviceable. Thank you very much!

I agree that your solution was more elegant but I am glad that you now have a serviceable solution.