Content Security Policy support

[lbm-services]

Inline scripts should be nonced.

<script type="text/javascript" src="{{ ckeditor_js_path(js_path) }}" nonce="{{ csp_nonce() }}"></script>

If I correct this in an override template, I still get this error:

ckeditor.js:formatted:2451 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-D24ObGl7HKSBzXcbvtko/A==' 'nonce-8d0191f0200751ec63fafa5a557f048a'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Seems due to this code: ckeditor.js:formatted:2451

        write: function(a) {
            this.$.open("text/html", "replace");
            CKEDITOR.env.ie && (a = a.replace(/(?:^\s*<!DOCTYPE[^>]*?>)|^/i, '$\x26\n\x3cscript data-cke-temp\x3d"1"\x3e(' + CKEDITOR.tools.fixDomain + ")();\x3c/script\x3e"));
            this.$.write(a);
            this.$.close()
        },

which works only if directive script-src is set to 'unsafe-inline' which is bad.

[fliespl]

I will attach to this Issue.

While I think adding nonce possibility would be a great option (and should be implemented to keep BC + support more strict environments), allowing one party to include single JS file that renders all ckeditors at once without any inline JS would be a seriously great enhancemnt for environemnts having very strict requirements (like no inline JS at all - no matter if nonce / hash is included).

I.e. this could be done in a way that instead of rendering Githubissues.

Githubissues is a development platform for aggregating issues.