FEAT: Support Content-Security-Policy
Question
To reduce the possible attack surface if the editor is used in "hostile" environments (e.g. in SaaS platforms) support for CSP is required. This will also prevent problems like https://github.com/artf/grapesjs/issues/3082
At the moment, the only problem that prevents effective CSP rules is the use of new Function() in the GrapesJS code, which requires a CSP rule of unsafe-eval.
Is there a different way to implement that?
Answers (3)
ok then, I'll try to fix it for the next release.
mmm I'm not sure exactly how I'm able to fix it and what do you mean by is the use of new Function() in the GrapesJS code as there is no such a thing in the source?
Found out that it's in the dist files due to underscore.js template() method which uses new Function(). I think this will make it hard to replace or remove that dependency to enforce a CSP without 'unsafe-eval'.
Related Questions and Answers
Continue research with similar issue discussions.
Issue #2972
FEAT: Disable scripts on canvas
Hello, first of all thanks for a great tool. On my project i hit the problem where I need to disable scripts inside the editor. I found 2 s...
Issue #768
IE browser issue
Hi @artf , Created this issue due to https://github.com/artf/grapesjs/issues/214 has been closed ... I cloned the latest repo and run it on...
Issue #2148
[QUESTION] IE11 (Unable to get property 'style' of undefined)
Hi! Just faced the same issue: https://github.com/artf/grapesjs/issues/1295#issuecomment-410046832 While click on one of this buttons this....
Issue #1615
[Feature] support edit credentials request attribute on Remote Storage
The credentials options its forced to be 'include' on Remote Storage. https://github.com/artf/grapesjs/blob/master/src/storage_manager/mode...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.