refactor(@angular/build): Auto-CSP support as an index file transformation.

[aaronshim]

Auto-CSP is a feature to rewrite the <script> tags in a index.html file to either hash their contents or rewrite them as a dynamic loader script that can be hashed. These hashes will be placed in a CSP inside a <meta> tag inside the <head> of the document to ensure that the scripts running on the page are those known during the compile-time of the client-side rendered application.

This is an application of the recommended Strict CSP approach that is also recommended by the OWASP CSP Cheat Sheet and inspired by https://github.com/google/strict-csp. The approach of having build tooling auto-generate a hash-based CSP addresses the main concern around hash-based CSPs that generating and updating the hashes manually is difficult and error-prone.

PR Checklist

Please check to confirm your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/angular/angular-cli/blob/main/CONTRIBUTING.md#-commit-message-guidelines
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Other... Please describe:

What is the current behavior?

There is currently no logic to process the index.html to auto-generate hash-based CSPs.

What is the new behavior?

Adding logic to process the index.html to auto-generate hash-based CSPs.

Does this PR introduce a breaking change?

• Yes
• No

Other information

[dgp1130]

Thanks for putting this together! Very excited to see this feature land.

I left a bunch of readability / refactoring suggestions, but none of them are really critical and what you have is pretty reasonable so feel free to decline any which aren't worth applying.

For the commit message, we should use refactor here since it doesn't actually expose any functionality yet. When you get to the "keystone" commit which exposes the relevant option for end users, that's where you would put feat to be included in the changelog.

[dgp1130]

Yeah, I mean something like:

const strictCspTemplate = new Map<string, string[]>(Object.entries({
  'script-src': [`'strict-dynamic'`, ...hashes],
  // ...
}));

// Update / assign like:
strictCspTemplate.set('require-trusted-types-for', ['script']);

// Consume at the end:
return Array.from(strictCspTemplate.entries()).map(([directive, value]) => `${directive} ${values.join(' ')};`)
    .join('');

Since all the keys are static string literals, it's really not that important so feel free to ignore. Just a thing I commonly recommend for any dynamic key usage since that commonly leads to prototype pollution vulnerabilities.

[dgp1130]

Thanks for working through these comments! I don't have any significant concerns at this point, @clydin can you take a quick look too?

[dgp1130]

FYI: For a review, the commits you have are probably fine, but once this is approved and ready to submit, you'll need to squash/amend them to match the commit message conventions so we can merge it. Just a heads up.

[aaronshim]

FYI: For a review, the commits you have are probably fine, but once this is approved and ready to submit, you'll need to squash/amend them to match the commit message conventions so we can merge it. Just a heads up.

For sure! I realized that the GitHub code review interface was hiding comments as "outdated" and such when I amended and force pushed on the same commit, so I decided to stop doing that until we are ready to merge!