From cbcb6f0446ff75a3e09cbf9c915997b169d9b6de Mon Sep 17 00:00:00 2001
From: davidcigital <djohansson@cigital.com>
Date: Thu, 15 Sep 2016 13:59:55 +0100
Subject: [PATCH 1/2] docs(ngCsp): Updated unsafe-eval and unsafe-inline

Update the description of CSP, mainly regarding unsafe-eval and unsafe-inline. The way it was presented previously was slightly misleading as it indicated that these were rules forbidding certain things, when in fact it's a keyword in the CSP that disables the very rule that was described. I hope this updated text clarifies this better.
---
 src/ng/directive/ngCsp.js | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/src/ng/directive/ngCsp.js b/src/ng/directive/ngCsp.js
index f0303ef8a844..aaeb85ee7d2d 100644
--- a/src/ng/directive/ngCsp.js
+++ b/src/ng/directive/ngCsp.js
@@ -7,28 +7,32 @@
  * @element html
  * @description
  *
- * Angular has some features that can break certain
+ * Angular has some features that can conflict with certain restrictions that are applied when using
  * [CSP (Content Security Policy)](https://developer.mozilla.org/en/Security/CSP) rules.
  *
- * If you intend to implement these rules then you must tell Angular not to use these features.
+ * If you intend to implement CSP with these rules then you must tell Angular not to use these features.
  *
  * This is necessary when developing things like Google Chrome Extensions or Universal Windows Apps.
  *
  *
- * The following rules affect Angular:
+ * The following default rules in CSP affect Angular:
  *
- * * `unsafe-eval`: this rule forbids apps to use `eval` or `Function(string)` generated functions
- * (among other things). Angular makes use of this in the {@link $parse} service to provide a 30%
- * increase in the speed of evaluating Angular expressions.
+ * * The use of `eval()`, `Function(string)` and similar functions to dynamically create and execute 
+ * code from strings is forbidden. Angular makes use of this in the {@link $parse} service to provide 
+ * a 30% increase in the speed of evaluating Angular expressions. (This CSP rule can be disabled with 
+ * the CSP keyword `unsafe-eval`, but it is generally not recommended as it would weaken the protections 
+ * offered by CSP.) 
  *
- * * `unsafe-inline`: this rule forbids apps from inject custom styles into the document. Angular
- * makes use of this to include some CSS rules (e.g. {@link ngCloak} and {@link ngHide}).
- * To make these directives work when a CSP rule is blocking inline styles, you must link to the
- * `angular-csp.css` in your HTML manually.
+ * * The use of inline resources, such as inline <script> and <style> elements, are forbidden. This 
+ * prevents apps from injecting custom styles directly into the document. Angular makes use of this to 
+ * include some CSS rules (e.g. {@link ngCloak} and {@link ngHide}). To make these directives work when 
+ * a CSP rule is blocking inline styles, you must link to the `angular-csp.css` in your HTML manually. 
+ * (This CSP rule can be disabled with the CSP keyword `unsafe-inline`, but it is generally not recommended 
+ * as it would weaken the protections offered by CSP.)
  *
- * If you do not provide `ngCsp` then Angular tries to autodetect if CSP is blocking unsafe-eval
- * and automatically deactivates this feature in the {@link $parse} service. This autodetection,
- * however, triggers a CSP error to be logged in the console:
+ * If you do not provide `ngCsp` then Angular tries to autodetect if CSP is blocking dynamic code creation 
+ * from strings (e.g., `unsafe-eval` not specified in CSP header) and automatically deactivates this feature 
+ * in the {@link $parse} service. This autodetection, however, triggers a CSP error to be logged in the console:
  *
  * ```
  * Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of

From b1d28453356e75425a7df0cd986799a66336d873 Mon Sep 17 00:00:00 2001
From: davidcigital <djohansson@cigital.com>
Date: Thu, 15 Sep 2016 16:50:39 +0100
Subject: [PATCH 2/2] docs(ngCsp): remove trailing spaces

Remove trailing spaces from affected lines to comply with Travis CI rule checks.
---
 src/ng/directive/ngCsp.js | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/ng/directive/ngCsp.js b/src/ng/directive/ngCsp.js
index aaeb85ee7d2d..2959def5349f 100644
--- a/src/ng/directive/ngCsp.js
+++ b/src/ng/directive/ngCsp.js
@@ -17,21 +17,21 @@
  *
  * The following default rules in CSP affect Angular:
  *
- * * The use of `eval()`, `Function(string)` and similar functions to dynamically create and execute 
- * code from strings is forbidden. Angular makes use of this in the {@link $parse} service to provide 
- * a 30% increase in the speed of evaluating Angular expressions. (This CSP rule can be disabled with 
- * the CSP keyword `unsafe-eval`, but it is generally not recommended as it would weaken the protections 
- * offered by CSP.) 
- *
- * * The use of inline resources, such as inline <script> and <style> elements, are forbidden. This 
- * prevents apps from injecting custom styles directly into the document. Angular makes use of this to 
- * include some CSS rules (e.g. {@link ngCloak} and {@link ngHide}). To make these directives work when 
- * a CSP rule is blocking inline styles, you must link to the `angular-csp.css` in your HTML manually. 
- * (This CSP rule can be disabled with the CSP keyword `unsafe-inline`, but it is generally not recommended 
+ * * The use of `eval()`, `Function(string)` and similar functions to dynamically create and execute
+ * code from strings is forbidden. Angular makes use of this in the {@link $parse} service to provide
+ * a 30% increase in the speed of evaluating Angular expressions. (This CSP rule can be disabled with
+ * the CSP keyword `unsafe-eval`, but it is generally not recommended as it would weaken the protections
+ * offered by CSP.)
+ *
+ * * The use of inline resources, such as inline <script> and <style> elements, are forbidden. This
+ * prevents apps from injecting custom styles directly into the document. Angular makes use of this to
+ * include some CSS rules (e.g. {@link ngCloak} and {@link ngHide}). To make these directives work when
+ * a CSP rule is blocking inline styles, you must link to the `angular-csp.css` in your HTML manually.
+ * (This CSP rule can be disabled with the CSP keyword `unsafe-inline`, but it is generally not recommended
  * as it would weaken the protections offered by CSP.)
  *
- * If you do not provide `ngCsp` then Angular tries to autodetect if CSP is blocking dynamic code creation 
- * from strings (e.g., `unsafe-eval` not specified in CSP header) and automatically deactivates this feature 
+ * If you do not provide `ngCsp` then Angular tries to autodetect if CSP is blocking dynamic code creation
+ * from strings (e.g., `unsafe-eval` not specified in CSP header) and automatically deactivates this feature
  * in the {@link $parse} service. This autodetection, however, triggers a CSP error to be logged in the console:
  *
  * ```