search

Ionaru / easy-markdown-editor

EasyMDE: A simple, beautiful, and embeddable JavaScript Markdown editor. Delightful editing for beginners and experts alike. Features built-in autosaving and spell checking.
https://stackblitz.com/edit/easymde
MIT License
2.31k stars 308 forks source link

CDN are causing CSP errors #546

Open lfuelling opened 1 year ago

lfuelling commented 1 year ago

Hi,

Describe the bug EasyMDE seems to use resources loaded using some content delivery networks, which causes CSP errors when using in an application that doesn't use those CDN.

To Reproduce Steps to reproduce the behavior:

  1. Set up a web server (maybe in docker or something) that has CSP enabled (and is using a domain other than localhost)
  2. Create a minimal npm website (maybe using parcel) and install EasyMDE
  3. Deploy the website in the server from step 1
  4. CSP errors like the following should appear in the console: 
    
easymde-256c9371.js:103 Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/font-awesome/latest/css/font-awesome.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

ce @ easymde-256c9371.js:103 (anonymous) @ easymde-256c9371.js:103 easymde-256c9371.js:40 Refused to connect to 'https://cdn.jsdelivr.net/codemirror.spell-checker/latest/en_US.aff' because it violates the following Content Security Policy directive: "connect-src 'self' https://some.example.com".

(anonymous) @ easymde-256c9371.js:40 ji @ easymde-256c9371.js:12 Fa @ easymde-256c9371.js:18 sl @ easymde-256c9371.js:18 Ke @ easymde-256c9371.js:20 Ke @ easymde-256c9371.js:20 Pf @ easymde-256c9371.js:32 ce.render @ easymde-256c9371.js:103 ce @ easymde-256c9371.js:103 (anonymous) @ easymde-256c9371.js:103 easymde-256c9371.js:40 Refused to connect to 'https://cdn.jsdelivr.net/codemirror.spell-checker/latest/en_US.dic' because it violates the following Content Security Policy directive: "connect-src 'self' https://some.example.com".



**Expected behavior**
I expected that EasyMDE includes all dependencies instead of using CDN for that.

**Screenshots**
N/A

**Version information**
- OS: any
- Browser: any that supports CSP
- EasyMDE version: 2.16.1 - 2.18.0

**Additional context**
I already tried the update suggested in #535, but unfortunately the error is still there after the upgrade.
shanet commented 11 months ago

This seems more like an issue with https://github.com/sparksuite/codemirror-spell-checker than EasyMDE.

If it's bothering you though, you can set spellChecker to false in the EasyMDE constructor. That will prevent it from trying to download this file from the CDN.