Avoid false green framework CSP checks#33728
Open
EugeniyKiyashko wants to merge 3 commits into
Open
Conversation
EugeniyKiyashko
force-pushed
the
26_1_revert
branch
27 times, most recently
from
9062a70 to
4a8d49c
Compare
EugeniyKiyashko
force-pushed
the
26_1_revert
branch
4 times, most recently
from
ca9065f to
8e9fa18
Compare
EugeniyKiyashko
force-pushed
the
26_1_revert
branch
2 times, most recently
from
26bbe83 to
5d4c06b
Compare
EugeniyKiyashko
force-pushed
the
26_1_revert
branch
from
5d4c06b to
3027521
Compare
EugeniyKiyashko
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the demos CSP validation pipeline to avoid “false green” results by checking production-style (bundled) pages for React/Vue/Angular, tightening per-framework CSP allowlists, and improving CSP-check robustness.
Changes:
- Add demo pre-bundling for CSP checks (esbuild for React/Vue; Angular AOT bundling via
@angular/build/private) and route CSP checks toapps/demos/csp-bundled-demos. - Refactor CSP server directives/allowlists to distinguish SystemJS dev needs vs bundled needs; add Angular
ngCspNoncestamping for bundled demos. - Clean up multiple Angular demo sources to remove unnecessary
$eventbindings, fix template binding typos, and remove inline styles/external font dependency that can affect CSP.
Reviewed changes
Copilot reviewed 34 out of 34 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| packages/devextreme-scss/scss/widgets/generic/treeView/_index.scss | Removes an unused SCSS @use import to reduce redundant dependencies. |
| apps/demos/utils/server/tsconfig.csp-bundle-angular.json | Adds a dedicated TS config used by the Angular CSP bundler. |
| apps/demos/utils/server/csp-server.js | Splits CSP behavior between SystemJS dev vs bundled demos; switches to report-only header and adds Angular nonce stamping for styles. |
| apps/demos/utils/server/csp-check.js | Reworks CSP checking to use a single CDP-driven Chrome instance and in-page violation capture; adds bundling mode + sharding support. |
| apps/demos/utils/server/csp-bundle.js | New: bundles React/Vue demos into production-style pages for CSP validation. |
| apps/demos/utils/server/csp-bundle-angular.js | New: bundles Angular demos (AOT) into production-style pages for CSP validation, with sharding and patch/shim helpers. |
| apps/demos/Demos/TreeView/ItemSelectionAndCustomization/Angular/app/app.component.ts | Removes BrowserModule from standalone imports for CSP-friendly bundling. |
| apps/demos/Demos/TreeList/MultipleRowSelection/Angular/app/app.component.html | Drops unused $event parameter from option change handlers. |
| apps/demos/Demos/TreeList/CustomizeKeyboardNavigation/Angular/app/app.component.html | Fixes a casing typo in editOnKeyPress binding. |
| apps/demos/Demos/Stepper/FormIntegration/Angular/app/app.component.html | Drops unused $event parameter from button click handlers. |
| apps/demos/Demos/SpeechToText/Overview/Angular/app/app.component.html | Drops unused $event parameter from button click handler. |
| apps/demos/Demos/Scheduler/DragAndDrop/Angular/app/app.component.html | Fixes @for ... track expression to use an existing stable field. |
| apps/demos/Demos/Localization/UsingIntl/Angular/app/app.component.html | Fixes applyFilter binding to use a string literal instead of an undefined identifier. |
| apps/demos/Demos/Localization/UsingGlobalize/Angular/app/app.component.html | Fixes applyFilter binding to use a string literal instead of an undefined identifier. |
| apps/demos/Demos/LoadIndicator/Overview/Angular/app/app.component.html | Drops unused $event parameter and collapses markup to avoid unnecessary inline patterns. |
| apps/demos/Demos/List/Selection/Angular/app/app.component.ts | Removes BrowserModule from standalone imports for CSP-friendly bundling. |
| apps/demos/Demos/Form/ItemCustomization/Angular/app/app.component.ts | Tightens template-related typing (array element shape) for consistency under AOT/bundling. |
| apps/demos/Demos/Form/Grouping/Angular/app/app.component.ts | Tightens template-related typing (array element shape) for consistency under AOT/bundling. |
| apps/demos/Demos/FilterBuilder/Customization/Angular/app/app.component.ts | Removes BrowserModule from standalone imports for CSP-friendly bundling. |
| apps/demos/Demos/FileUploader/ChunkUpload/Angular/app/app.component.html | Drops unused $event parameter from upload started handler. |
| apps/demos/Demos/Drawer/TopOrBottomPosition/Angular/index.html | Removes external Font Awesome stylesheet to reduce CSP exceptions. |
| apps/demos/Demos/Drawer/LeftOrRightPosition/Angular/index.html | Removes external Font Awesome stylesheet to reduce CSP exceptions. |
| apps/demos/Demos/Drawer/LeftOrRightPosition/Angular/app/app.component.html | Replaces inline style with a CSS class to avoid inline-style CSP violations. |
| apps/demos/Demos/Drawer/LeftOrRightPosition/Angular/app/app.component.css | Adds styling for the new drawer panel class (keeps styles out of inline attributes). |
| apps/demos/Demos/DataGrid/NewRecordPosition/Angular/app/app.component.ts | Removes BrowserModule from standalone imports for CSP-friendly bundling. |
| apps/demos/Demos/DataGrid/CustomizeKeyboardNavigation/Angular/app/app.component.html | Fixes a casing typo in editOnKeyPress binding. |
| apps/demos/Demos/Chat/MessageEditing/Angular/app/app.component.html | Fixes a binding typo (allowEditingLabel). |
| apps/demos/Demos/Charts/TilingAlgorithms/Angular/app/app.component.ts | Removes BrowserModule from standalone imports for CSP-friendly bundling. |
| apps/demos/Demos/Charts/CenterLabelCustomization/Angular/app/app.component.html | Replaces inline SVG styling with CSS classes to avoid inline-style CSP violations. |
| apps/demos/Demos/Charts/CenterLabelCustomization/Angular/app/app.component.css | Adds CSS for the new SVG label classes. |
| apps/demos/Demos/Charts/AreaSelectionZooming/Angular/app/app.component.html | Drops unused $event parameter and collapses markup for CSP-friendly bundling. |
| apps/demos/Demos/ActionSheet/PopoverMode/Angular/app/app.component.html | Fixes @for ... track expression to use an existing stable field. |
| apps/demos/.gitignore | Ignores csp-bundled-demos output and Angular bundler scratch artifacts. |
| .github/workflows/visual-tests-demos.yml | Enables bundling + sharding for CSP checks in CI and adjusts artifact naming accordingly. |
dmlvr
previously approved these changes
Jun 3, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: EugeniyKiyashko <EugeniyKiyashko@users.noreply.github.com>
Comment on lines
+408
to
+412
| await startBrowser(); | ||
|
|
||
| const reportFile = join(REPORT_DIR, `csp-violations-${FRAMEWORK.toLowerCase()}.jsonl`); | ||
| try { | ||
| await runPool(demos, CONCURRENCY, async (demo, i) => { | ||
| const idx = i + 1; |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: EugeniyKiyashko <EugeniyKiyashko@users.noreply.github.com>
|
|
||
| const CHROME_PATH = findChrome(); | ||
|
|
||
| const DEBUG_PORT = 20222; |
Comment on lines
+79
to
+82
| const CHROME_USER_DATA_DIR = process.env.CSP_CHROME_USER_DATA_DIR | ||
| || join(os.tmpdir(), 'csp-chrome-shared'); | ||
| const CHROME_DISK_CACHE_DIR = process.env.CSP_CHROME_DISK_CACHE_DIR | ||
| || join(os.tmpdir(), 'csp-chrome-cache'); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.