The editor does not work when setting a Content Security Policy #218
Description
Details
- OS (Operating System) version: Ubuntu
- Browser and browser version: Chromium & Firefox
- Django version: 4.1.7
- Martor version & theme: martor = 1.6.19
Steps to reproduce
- Set a CSP header on your webserver, e.g.:
add_header Content-Security-Policy "default-src 'self'; - Open a django admin page with a field with the markdown editor
In the Browser console you see the error:
ace.js:5 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-NPmOMJ6Koi743g0BGW8ul25dqdhwdyelDGzO4sWLPbE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
and
Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
I expect the markdown editor work with security precautions in place.