easy-markdown-editor icon indicating copy to clipboard operation
easy-markdown-editor copied to clipboard
verified publisher icon Ionaru

CDN are causing CSP errors

Open lfuelling opened this issue 2 years ago • 1 comments

Hi,

Describe the bug EasyMDE seems to use resources loaded using some content delivery networks, which causes CSP errors when using in an application that doesn't use those CDN.

To Reproduce Steps to reproduce the behavior:

  1. Set up a web server (maybe in docker or something) that has CSP enabled (and is using a domain other than localhost)
  2. Create a minimal npm website (maybe using parcel) and install EasyMDE
  3. Deploy the website in the server from step 1
  4. CSP errors like the following should appear in the console:
easymde-256c9371.js:103 Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/font-awesome/latest/css/font-awesome.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

ce @ easymde-256c9371.js:103
(anonymous) @ easymde-256c9371.js:103
easymde-256c9371.js:40 Refused to connect to 'https://cdn.jsdelivr.net/codemirror.spell-checker/latest/en_US.aff' because it violates the following Content Security Policy directive: "connect-src 'self' https://some.example.com".

(anonymous) @ easymde-256c9371.js:40
ji @ easymde-256c9371.js:12
Fa @ easymde-256c9371.js:18
sl @ easymde-256c9371.js:18
Ke @ easymde-256c9371.js:20
Ke @ easymde-256c9371.js:20
Pf @ easymde-256c9371.js:32
ce.render @ easymde-256c9371.js:103
ce @ easymde-256c9371.js:103
(anonymous) @ easymde-256c9371.js:103
easymde-256c9371.js:40 Refused to connect to 'https://cdn.jsdelivr.net/codemirror.spell-checker/latest/en_US.dic' because it violates the following Content Security Policy directive: "connect-src 'self' https://some.example.com".

Expected behavior I expected that EasyMDE includes all dependencies instead of using CDN for that.

Screenshots N/A

Version information

  • OS: any
  • Browser: any that supports CSP
  • EasyMDE version: 2.16.1 - 2.18.0

Additional context I already tried the update suggested in #535, but unfortunately the error is still there after the upgrade.

lfuelling avatar Jun 16 '23 02:06 lfuelling

This seems more like an issue with https://github.com/sparksuite/codemirror-spell-checker than EasyMDE.

If it's bothering you though, you can set spellChecker to false in the EasyMDE constructor. That will prevent it from trying to download this file from the CDN.

shanet avatar Jul 19 '23 03:07 shanet