-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The editor does not work when setting a Content Security Policy #218
Comments
Hello @cafischer, seems it happens on both bootstrap and ace editor itself. Fixing the code inside the bootstrap and ace is hard to do, and potentially breaking the style or functionalities. For django-csp CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'")
CSP_IMG_SRC = ("*", "'self'", "data:", "https:") or nginx header: add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * 'self' data: https:"; If above still now working on script, we can add the CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'")
CSP_IMG_SRC = ("*", "'self'", "data:", "https:")
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'") add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * 'self' data: https:; script-src 'self' 'unsafe-inline';"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Details
Steps to reproduce
add_header Content-Security-Policy "default-src 'self';
In the Browser console you see the error:
ace.js:5 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-NPmOMJ6Koi743g0BGW8ul25dqdhwdyelDGzO4sWLPbE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
and
Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
I expect the markdown editor work with security precautions in place.
The text was updated successfully, but these errors were encountered: