Opened 7 years ago
Last modified 3 years ago
#17379 new defect
dijit/Editor does not work in Chrome extension due to Content Security Policy script-src
Reported by: | lkrcal | Owned by: | |
---|---|---|---|
Priority: | undecided | Milestone: | 1.14 |
Component: | Editor | Version: | 1.9.1 |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
When instantiating the dijit/Editor by any means, e.g. using the demo available at http://dojotoolkit.org/reference-guide/1.9/dijit/Editor.html in a context of Chrome extension, there is a Content Security Policy exception.
Refused to execute JavaScript? URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' chrome-extension://".
This comes from inserting an iframe with src="javascript: ..." into DOM at RichText?.js:523.
declare.open (RichText.js:523) declare.startup (RichText.js:206) inherited (declare.js:189) declare.startup (Editor.js:129) (anonymous function) (parser.js:193) array.forEach (array.js:251) onConstruct (parser.js:191) signalListener (Deferred.js:37) then.promise.then (Deferred.js:258) parser._instantiate (parser.js:202) (anonymous function) (parser.js:892) signalListener (Deferred.js:37) then.promise.then (Deferred.js:258) parser.parse (parser.js:891) (anonymous function) (lang.js:373) onEvent (ready.js:47) processQ (domReady.js:50) detectReady (domReady.js:63)
I assume the src script of iframe is considered to be an inline script, that is disabled in Chrome extensions by default. There is no way of relaxing this constraint in Chrome.
Possible solution may be to replace the inline script by a template loaded from another file. Once the iframe is inserted, change the DOM of the inner page (editor) according to the content.
---
Manifest CPS:
"content_security_policy" : "default-src 'self'; script-src 'self' 'unsafe-eval' chrome-extension://;"
Chrome version: Version 28.0.1500.95
Change History (5)
comment:1 Changed 7 years ago by
Component: | General → Editor |
---|
comment:2 Changed 5 years ago by
Milestone: | tbd → 1.12 |
---|
I'm not sure that this is really fixable, but will look at it for 1.12.
comment:4 Changed 4 years ago by
Milestone: | 1.12 → 1.13 |
---|
Ticket planning... move current 1.12 tickets out to 1.13 that likely won't get fixed in 1.12.
comment:5 Changed 3 years ago by
Milestone: | 1.13 → 1.14 |
---|
Might be possible, although I think it uses different markup depending on the browser.