-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FEAT: Support Content-Security-Policy #3558
Comments
mmm I'm not sure exactly how I'm able to fix it and what do you mean by |
Found out that it's in the dist files due to underscore.js template() method which uses |
Maybe this can be changed by using it: https://github.com/silvermine/undertemplate Can you share your CSP config to test it? |
|
@aimeos I'm wondering how the detection is performed. If it's based on execution it's not a big deal to replace all references of the template function (at least not if there is a security concern) |
@artf Guess, browsers block certain dynamic function declarations ( |
ok then, I'll try to fix it for the next release. |
To reduce the possible attack surface if the editor is used in "hostile" environments (e.g. in SaaS platforms) support for CSP is required. This will also prevent problems like #3082
At the moment, the only problem that prevents effective CSP rules is the use of
new Function()
in the GrapesJS code, which requires a CSP rule ofunsafe-eval
.Is there a different way to implement that?
The text was updated successfully, but these errors were encountered: