Closed lbm-services closed 2 years ago
I will attach to this Issue.
While I think adding nonce possibility would be a great option (and should be implemented to keep BC + support more strict environments), allowing one party to include single JS file that renders all ckeditors at once without any inline JS would be a seriously great enhancemnt for environemnts having very strict requirements (like no inline JS at all - no matter if nonce / hash is included).
I.e. this could be done in a way that instead of rendering Githubissues.
Inline scripts should be nonced.
<script type="text/javascript" src="{{ ckeditor_js_path(js_path) }}" nonce="{{ csp_nonce() }}"></script>
If I correct this in an override template, I still get this error:
ckeditor.js:formatted:2451 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-D24ObGl7HKSBzXcbvtko/A==' 'nonce-8d0191f0200751ec63fafa5a557f048a'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
Seems due to this code: ckeditor.js:formatted:2451
which works only if directive script-src is set to 'unsafe-inline' which is bad.