search

romanvm / django-tinymce4-lite

TinyMCE 4 editor widget for Django
MIT License
126 stars 47 forks source link

Insecure Content Security policy "unsafe-inline" required #56

Open GitRon opened 5 years ago

GitRon commented 5 years ago

Hi there!

I updated my CSP settings and suddenly the plugin stopped working. I read at the TinyMCE website (https://www.tiny.cloud/docs/advanced/security/#qhowdoisetupcontentsecuritypolicycspwithtinymce) that the unsafe-inline is NOT required. When I enable it in my django project, the editor is not shown. Analysing it with Firebug shows inline scripts as well.

Any ideas if this is going to be fixed at some point or if I'm doing something wrong?

Thanks!
Rony

romanvm commented 5 years ago

To be honest, I have absolutely no idea what you are talking about.

GitRon commented 5 years ago

Haha, ok, I'll elaborate. @romanvm

There is a security header called Content Security Policy (CSP). You can prevent - or enable - from which sources the browser should load page contents. This can be very helpful in securing your website.

There was even a talk at the djangoCon Europe this year.

You can explicitly disable loading inline scripts because they might have been injected at some point. Django 2.0 or 2.1 cleaned up the admin so they don't have any inline code lying around anymore so you can set the CSP to a quite safe and strict policy.

But when I enable the strict and for django ok policiy, the TinyMCE editor which comes with this plugin, does not work anymore.

The TinyMCE docs say that you should be able to use this strict policy. So I just assumed that the problem is within this package.

If you want to try it out on your own: The package you need is django-csp and enable the strict policy in the settings with:

CSP_DEFAULT_SRC = (
     "'self'",  
    "'unsafe-inline'",  # this is the one
)

Hope this helps!

romanvm commented 5 years ago

Thank you for your explanation. Indeed, this application attaches TinyMCE widget to textareas via inline <script> tags. If you disable that, it won't work any more. As for fixing this, I will consider this. And PRs are always welcome.

GitRon commented 5 years ago

@romanvm Cool, thanks! I'd love to help but currently my tasks for django plugins pile up and I don't get anything done. Sorry 😢

GitRon commented 4 years ago

@romanvm Any update on the topic? 😃

romanvm commented 4 years ago

Honestly, my priorities have changed, and I have not time to develop this package beyond minimal maintenance. So any pull request are welcome.

GitRon commented 4 years ago

Alright, thanks for the update.