Opened 6 years ago

Last modified 23 months ago

#17379 new defect

dijit/Editor does not work in Chrome extension due to Content Security Policy script-src

Reported by: lkrcal Owned by:
Priority: undecided Milestone: 1.14
Component: Editor Version: 1.9.1
Keywords: Cc:
Blocked By: Blocking:

Description

When instantiating the dijit/Editor by any means, e.g. using the demo available at http://dojotoolkit.org/reference-guide/1.9/dijit/Editor.html in a context of Chrome extension, there is a Content Security Policy exception.

Refused to execute JavaScript? URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' chrome-extension://".

This comes from inserting an iframe with src="javascript: ..." into DOM at RichText?.js:523.

declare.open (RichText.js:523)
declare.startup (RichText.js:206)
inherited (declare.js:189)
declare.startup (Editor.js:129)
(anonymous function) (parser.js:193)
array.forEach (array.js:251)
onConstruct (parser.js:191)
signalListener (Deferred.js:37)
then.promise.then (Deferred.js:258)
parser._instantiate (parser.js:202)
(anonymous function) (parser.js:892)
signalListener (Deferred.js:37)
then.promise.then (Deferred.js:258)
parser.parse (parser.js:891)
(anonymous function) (lang.js:373)
onEvent (ready.js:47)
processQ (domReady.js:50)
detectReady (domReady.js:63)

I assume the src script of iframe is considered to be an inline script, that is disabled in Chrome extensions by default. There is no way of relaxing this constraint in Chrome.

Possible solution may be to replace the inline script by a template loaded from another file. Once the iframe is inserted, change the DOM of the inner page (editor) according to the content.

---

Manifest CPS:

"content_security_policy" : "default-src 'self'; script-src 'self' 'unsafe-eval' chrome-extension://;"

Chrome version: Version 28.0.1500.95

Change History (5)

comment:1 Changed 6 years ago by bill

Component: GeneralEditor

Might be possible, although I think it uses different markup depending on the browser.

comment:2 Changed 4 years ago by dylan

Milestone: tbd1.12

I'm not sure that this is really fixable, but will look at it for 1.12.

comment:3 Changed 4 years ago by dylan

Milestone: 1.131.12

Moving all Editor tickets to 1.12 for now.

comment:4 Changed 3 years ago by dylan

Milestone: 1.121.13

Ticket planning... move current 1.12 tickets out to 1.13 that likely won't get fixed in 1.12.

comment:5 Changed 23 months ago by dylan

Milestone: 1.131.14
Note: See TracTickets for help on using tickets.