tinymce
feat: add nonce attribute for loading scripts with csp policy
@felixmosh Looking back at #553, it sounds like you're hoping to load TinyMCE with a nonce and have that nonce automatically applied to every script TinyMCE creates. If that's the case, unfortunately this PR won’t achieve that.
Even if that’s not the goal, this change still won’t allow you to enforce a strict CSP reliably, since TinyMCE dynamically injects additional scripts at init time (for plugins, skins, and other resources).
You may want to forward this as a feature request to the TinyMCE issue tracker , as this would need to be addressed within the core editor.
For reference, Tiny has a useful guide on CSP considerations here: TinyMCE CSP Guide
Usage of nonce for csp, is standard thing. The spec says, if a script is loaded with nonce, every loaded script from it will be trusted. So, there is no need to apply it to all loaded scripts... Currently, I'm forced to allow entire cdn url... Which is wrong.
Don't you also need to add strict-dynamic for trust to be propagated according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#strict-dynamic?