suren-atoyan
commented
9 months ago hi @PeppeL-G 👋
Sorry for the late reply. Is your issue still actual?
Open PeppeL-G opened 10 months ago
suren-atoyan
commented
9 months ago hi @PeppeL-G 👋
Sorry for the late reply. Is your issue still actual?
PeppeL-G
commented
9 months ago @suren-atoyan, no worries, I'm in no hurry ^^ Thanks for taking your time.
The CSP I have seems to work good for me, so I don't have any problem. But I imagine many programmers will use Monaco/Monaco Loader the same way as I do:
Then it's good to have a CSP to make it more secure for the web browser to execute the entered JS code, and knowing what CSP directives one need to allow to make the editor work would be good.
But perhaps this is not an enough common use-case to be worth mentioning in the docs (and possibly hard to keep up-to-date anyway), so maybe trial-and-error and this issue is helpful enough for other programmers in my situation.
This package works great, but I needed to add a CSP to my webpage that runs the editor, and in the CSP I need to list the resources the editor loads as exceptions to the CSP. My CSP contains some additional exceptions, but I think these are the ones needed for the editor to be able to load its resources:
I don't know if I've managed to allow all resources the editor will ever attempt to load. For one,
data:forimg-srcI noticed was needed first when the editor tried to load it, which was when I triggered the autocomplete box to open, so there might be more that needs to be allowed I haven't discovered yet. Anyway, would be nice to have this documented somewhere.(it's also the first time I'm using a CSP, so there might be a better way of achieving the same result)