Skip to content
This repository has been archived by the owner on Oct 23, 2021. It is now read-only.

Insecure Content Security policy "unsafe-inline" required #56

Open
GitRon opened this issue Jun 19, 2019 · 7 comments
Open

Insecure Content Security policy "unsafe-inline" required #56

GitRon opened this issue Jun 19, 2019 · 7 comments

Comments

@GitRon
Copy link

GitRon commented Jun 19, 2019

Hi there!

I updated my CSP settings and suddenly the plugin stopped working. I read at the TinyMCE website (https://www.tiny.cloud/docs/advanced/security/#qhowdoisetupcontentsecuritypolicycspwithtinymce) that the unsafe-inline is NOT required. When I enable it in my django project, the editor is not shown. Analysing it with Firebug shows inline scripts as well.

Any ideas if this is going to be fixed at some point or if I'm doing something wrong?

Thanks!
Rony
@romanvm
Copy link
Owner

romanvm commented Jun 23, 2019

To be honest, I have absolutely no idea what you are talking about.

@GitRon
Copy link
Author

GitRon commented Jun 24, 2019
edited
Loading

Haha, ok, I'll elaborate. @romanvm

There is a security header called Content Security Policy (CSP). You can prevent - or enable - from which sources the browser should load page contents. This can be very helpful in securing your website.

There was even a talk at the djangoCon Europe this year.

You can explicitly disable loading inline scripts because they might have been injected at some point. Django 2.0 or 2.1 cleaned up the admin so they don't have any inline code lying around anymore so you can set the CSP to a quite safe and strict policy.

But when I enable the strict and for django ok policiy, the TinyMCE editor which comes with this plugin, does not work anymore.

The TinyMCE docs say that you should be able to use this strict policy. So I just assumed that the problem is within this package.

If you want to try it out on your own: The package you need is django-csp and enable the strict policy in the settings with:

CSP_DEFAULT_SRC = (
     "'self'",  
    "'unsafe-inline'",  # this is the one
)

Hope this helps!

@romanvm
Copy link
Owner

romanvm commented Jun 25, 2019

Thank you for your explanation. Indeed, this application attaches TinyMCE widget to textareas via inline <script> tags. If you disable that, it won't work any more.
As for fixing this, I will consider this. And PRs are always welcome.

@GitRon
Copy link
Author

GitRon commented Jun 25, 2019

@romanvm Cool, thanks! I'd love to help but currently my tasks for django plugins pile up and I don't get anything done. Sorry 😢

@GitRon
Copy link
Author

GitRon commented Nov 11, 2019

@romanvm Any update on the topic? 😃

@romanvm
Copy link
Owner

romanvm commented Nov 12, 2019

Honestly, my priorities have changed, and I have not time to develop this package beyond minimal maintenance. So any pull request are welcome.

@GitRon
Copy link
Author

GitRon commented Nov 12, 2019

Alright, thanks for the update.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romanvm @GitRon