Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKEditor5 Violates Content Security Policy Due to Inline Styles #16359

Closed
arunkumar30 opened this issue May 15, 2024 · 4 comments
Closed

CKEditor5 Violates Content Security Policy Due to Inline Styles #16359

arunkumar30 opened this issue May 15, 2024 · 4 comments
Labels
resolution:duplicate This issue is a duplicate of another issue and was merged into it. type:bug This issue reports a buggy (incorrect) behavior.

Comments

@arunkumar30
Copy link

arunkumar30 commented May 15, 2024
edited

📝 Provide detailed reproduction steps (if any)

Getting console error for CSP when below meta tags are included in html.
# <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; script-src 'self'; style-src 'self'; " />

When trying to upload image, copy paste formatted text etc

  • @ckeditor/ckeditor5-engine/src/dataprocessor/htmldataprocessor.js
  • @ckeditor/ckeditor5-engine/src/view/domconverter.js
    image

✔️ Expected result

No error should be there

❌ Actual result

error on console.

❓ Possible solution

Can we have flag to turn on / off csp. If CSP is turned on features that doesn't support CSP should not be active.

📃 Other details

  • Browser: …
  • OS: …
  • First affected CKEditor version: …
  • Installed CKEditor plugins: …
    [
    Alignment,
    Autoformat,
    BlockQuote,
    Bold,
    Copy,
    Cut,
    DefaultFont,
    Essentials,
    FindAndReplace,
    Font,
    FontBackgroundColor,
    FontColor,
    FontFamily,
    FontSize,
    FormatPainter,
    GeneralHtmlSupport,
    Heading,
    HorizontalLine,
    Image,
    ImageCaption,
    ImageInsert,
    ImageStyle,
    ImageUpload,
    Indent,
    IndentBlock,
    Italic,
    Link,
    List,
    Maximize,
    Paragraph,
    PasteBase64,
    PasteFromOffice,
    PasteFromOfficeEnhanced,
    PasteHandler,
    Paste,
    Preview,
    RemoveFormat,
    SelectAll,
    SpecialCharacters,
    SpecialCharactersArrows,
    SpecialCharactersCurrency,
    SpecialCharactersEssentials,
    SpecialCharactersLatin,
    SpecialCharactersMathematical,
    SpecialCharactersText,
    Strikethrough,
    Subscript,
    Superscript,
    Table,
    TableCellProperties,
    TableColumnResize,
    TableProperties,
    TableToolbar,
    TextTransformation,
    Underline
    ];

If you'd like to see this fixed sooner, add a 👍 reaction to this post.
@arunkumar30 arunkumar30 added the type:bug This issue reports a buggy (incorrect) behavior. label May 15, 2024
@arunkumar30
Copy link
Author

Uploading csp.JPG…

@arunkumar30 arunkumar30 changed the title Getting CSP Error : styles extracted to a separate .css file CKEditor5 Violates Content Security Policy Due to Inline Styles May 15, 2024
@Reinmar Reinmar mentioned this issue May 20, 2024
Open
@Reinmar
Copy link
Member

Reinmar commented May 20, 2024

DUP of #15509

@Reinmar Reinmar closed this as completed May 20, 2024
@Reinmar Reinmar added the resolution:duplicate This issue is a duplicate of another issue and was merged into it. label May 20, 2024
@arunkumar30
Copy link
Author

arunkumar30 commented May 20, 2024
edited

@Reinmar It's not the issue with font plugin or text alignment. While am trying to upload image or copy paste the data CSP error is there.

In @ckeditor\ckeditor5-engine\src\view\domconverter.js , I can see setAttribute method which triggers the HTML parser and CSP error is thrown.

for setDomElementAttribute() function
domElement.setAttribute(shouldRenderAttribute ? key : UNSAFE_ATTRIBUTE_NAME_PREFIX + key, value);

@arunkumar30
Copy link
Author

@Reinmar It seems wherever setAttribute has been used CSP violation is there. The issue is there for image upload , resize, font, when data is copied from any external source to editor and so on. Any workaround for the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolution:duplicate This issue is a duplicate of another issue and was merged into it. type:bug This issue reports a buggy (incorrect) behavior.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Reinmar @arunkumar30