dijit/Editor does not work in Chrome extension due to Content Security Policy script-src

[lkrcal]

When instantiating the dijit/Editor by any means, e.g. using the demo available at http://dojotoolkit.org/reference-guide/1.9/dijit/Editor.html in a context of Chrome extension, there is a Content Security Policy exception.

Refused to execute JavaScript? URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' chrome-extension://".

This comes from inserting an iframe with src="javascript: ..." into DOM at RichText?.js:523.

declare.open (RichText.js:523)
declare.startup (RichText.js:206)
inherited (declare.js:189)
declare.startup (Editor.js:129)
(anonymous function) (parser.js:193)
array.forEach (array.js:251)
onConstruct (parser.js:191)
signalListener (Deferred.js:37)
then.promise.then (Deferred.js:258)
parser._instantiate (parser.js:202)
(anonymous function) (parser.js:892)
signalListener (Deferred.js:37)
then.promise.then (Deferred.js:258)
parser.parse (parser.js:891)
(anonymous function) (lang.js:373)
onEvent (ready.js:47)
processQ (domReady.js:50)
detectReady (domReady.js:63)

I assume the src script of iframe is considered to be an inline script, that is disabled in Chrome extensions by default. There is no way of relaxing this constraint in Chrome.

Possible solution may be to replace the inline script by a template loaded from another file. Once the iframe is inserted, change the DOM of the inner page (editor) according to the content.

---

Manifest CPS:

"content_security_policy" : "default-src 'self'; script-src 'self' 'unsafe-eval' chrome-extension://;"

Chrome version: Version 28.0.1500.95

[bill]

Might be possible, although I think it uses different markup depending on the browser.

[dylan]

I'm not sure that this is really fixable, but will look at it for 1.12.

[dylan]

Moving all Editor tickets to 1.12 for now.

[dylan]

Ticket planning... move current 1.12 tickets out to 1.13 that likely won't get fixed in 1.12.