django-tinymce4-lite icon indicating copy to clipboard operation
django-tinymce4-lite copied to clipboard

Published 20 hours ago verified publisher icon romanvm

Insecure Content Security policy "unsafe-inline" required

Open GitRon opened this issue 5 years ago • 7 comments

Hi there!

I updated my CSP settings and suddenly the plugin stopped working. I read at the TinyMCE website (https://www.tiny.cloud/docs/advanced/security/#qhowdoisetupcontentsecuritypolicycspwithtinymce) that the unsafe-inline is NOT required. When I enable it in my django project, the editor is not shown. Analysing it with Firebug shows inline scripts as well.

Any ideas if this is going to be fixed at some point or if I'm doing something wrong?

Thanks!
Rony

GitRon avatar Jun 19 '19 06:06 GitRon

To be honest, I have absolutely no idea what you are talking about.

romanvm avatar Jun 23 '19 20:06 romanvm

Haha, ok, I'll elaborate. @romanvm

There is a security header called Content Security Policy (CSP). You can prevent - or enable - from which sources the browser should load page contents. This can be very helpful in securing your website.

There was even a talk at the djangoCon Europe this year.

You can explicitly disable loading inline scripts because they might have been injected at some point. Django 2.0 or 2.1 cleaned up the admin so they don't have any inline code lying around anymore so you can set the CSP to a quite safe and strict policy.

But when I enable the strict and for django ok policiy, the TinyMCE editor which comes with this plugin, does not work anymore.

The TinyMCE docs say that you should be able to use this strict policy. So I just assumed that the problem is within this package.

If you want to try it out on your own: The package you need is django-csp and enable the strict policy in the settings with:

CSP_DEFAULT_SRC = (
     "'self'",  
    "'unsafe-inline'",  # this is the one
)

Hope this helps!

GitRon avatar Jun 24 '19 06:06 GitRon

Thank you for your explanation. Indeed, this application attaches TinyMCE widget to textareas via inline <script> tags. If you disable that, it won't work any more. As for fixing this, I will consider this. And PRs are always welcome.

romanvm avatar Jun 25 '19 05:06 romanvm

@romanvm Cool, thanks! I'd love to help but currently my tasks for django plugins pile up and I don't get anything done. Sorry 😢

GitRon avatar Jun 25 '19 07:06 GitRon

@romanvm Any update on the topic? 😃

GitRon avatar Nov 11 '19 14:11 GitRon

Honestly, my priorities have changed, and I have not time to develop this package beyond minimal maintenance. So any pull request are welcome.

romanvm avatar Nov 12 '19 10:11 romanvm

Alright, thanks for the update.

GitRon avatar Nov 12 '19 10:11 GitRon