AutoCsp generates invalid hash for inline script in index.html if CRLF

[austinw-fineart]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

When autoCsp reads from an index.html with CRLF line endings, it generates hashes based on the content with the CRLF line endings. However, the transformed index.html will always be written with LF line endings instead. As a result, the inline scripts become violations because they can no longer match with their hash.

Minimal Reproduction

The following example uses CRLF line endings for its index.html; StackBlitz doesn't have any indicator for this. You can use VS Code to modify line endings and overwrite the file instead.

https://stackblitz.com/edit/cukg9skb?file=src%2Findex.html

Note that because autoCsp only applies to builds, the static built files are served instead of via ng serve, meaning you should rebuild to apply any changes.

Exception or Error

Executing inline script violates the following Content Security Policy directive 'script-src 'strict-dynamic' 'sha256-DseH/kfLLMMDrt5Fv7yG84W/vhVyzaUlY2uyB+yl+rU=' 'sha256-ku3oFQ8DDR81xC6Gz32A3bU2PKxH12YBBTzRvVuNLKM=' https: 'unsafe-inline''. Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list. The action has been blocked.

Your Environment

Angular CLI       : 21.2.0
Angular           : 21.2.0
Node.js           : 20.19.1
Package Manager   : npm 10.8.2
Operating System  : linux x64

Anything else relevant?

No response