I have a legacy project developed with ASP.NET Core 3.1 MVC and Angular 12 (originally it was Angular 5).
I need to set a Content Security Policy (CSP) for the website without using 'unsafe-val' to improve security. However, when I remove 'unsafe-eval', the pages stop working.
After a lot of research, I tried updating Angular and related dependencies (like zone.js) to version 12, but the problem persists. I suspect the issue is related to the compilation mode: currently the project is compiled using JIT, not AOT.
If I understand correctly, AOT compiles the Angular templates ahead of time, so the browser gets the ready-to-render code and doesn't need to compile at runtime. However, my project uses MVC views with some embedded MVC code, so I think switching to AOT compilation may not be straightforward or even possible in this scenario. Is that correct?
Are there any other ways to avoid using 'unsafe-eval' in the CSP for a legacy Angular + ASP.NET Core MVC project compiled with JIT?
