agusmakmun
commented
7 months ago Hello @cafischer, seems it happens on both bootstrap and ace editor itself.
Fixing the code inside the bootstrap and ace is hard to do, and potentially breaking the style or functionalities. I believe in the latest version of bootstrap and ace still had the same issue. So, to handle that we need to update our CSP header:
For django-csp
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'")
CSP_IMG_SRC = ("*", "'self'", "data:", "https:")or nginx header:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * 'self' data: https:";If above still now working on script, we can add the script-src:
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'")
CSP_IMG_SRC = ("*", "'self'", "data:", "https:")
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; img-src * 'self' data: https:; script-src 'self' 'unsafe-inline';";
Details
Steps to reproduce
add_header Content-Security-Policy "default-src 'self';In the Browser console you see the error: ace.js:5 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-NPmOMJ6Koi743g0BGW8ul25dqdhwdyelDGzO4sWLPbE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. and Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
I expect the markdown editor work with security precautions in place.