Insecure Content Security policy "unsafe-inline" required about django-tinymce4-lite HOT 7 OPEN

To be honest, I have absolutely no idea what you are talking about.

from django-tinymce4-lite.

Haha, ok, I'll elaborate. @romanvm

There is a security header called Content Security Policy (CSP). You can prevent - or enable - from which sources the browser should load page contents. This can be very helpful in securing your website.

There was even a talk at the djangoCon Europe this year.

You can explicitly disable loading inline scripts because they might have been injected at some point. Django 2.0 or 2.1 cleaned up the admin so they don't have any inline code lying around anymore so you can set the CSP to a quite safe and strict policy.

But when I enable the strict and for django ok policiy, the TinyMCE editor which comes with this plugin, does not work anymore.

The TinyMCE docs say that you should be able to use this strict policy. So I just assumed that the problem is within this package.

If you want to try it out on your own: The package you need is django-csp and enable the strict policy in the settings with:

CSP_DEFAULT_SRC = (
     "'self'",  
    "'unsafe-inline'",  # this is the one
)

Hope this helps!

from django-tinymce4-lite.

Thank you for your explanation. Indeed, this application attaches TinyMCE widget to textareas via inline <script> tags. If you disable that, it won't work any more.
As for fixing this, I will consider this. And PRs are always welcome.

from django-tinymce4-lite.

@romanvm Cool, thanks! I'd love to help but currently my tasks for django plugins pile up and I don't get anything done. Sorry 😢

from django-tinymce4-lite.

@romanvm Any update on the topic? 😃

from django-tinymce4-lite.

Honestly, my priorities have changed, and I have not time to develop this package beyond minimal maintenance. So any pull request are welcome.

from django-tinymce4-lite.

Alright, thanks for the update.

from django-tinymce4-lite.