Contrib.social

Support loading ACE editor locally w/o CDN

Open on Drupal.org β†’
Created on 18 September 2019, about 5 years ago
Updated 26 April 2024, 8 months ago

On sites that use a content security policy header to restrict what assets are loaded from external sources, this module is problematic because it loads the ACE editor from a CDN. I guess there are two fixes for this:

1) Add the cdnjs.cloudflare.com domain to whitelist of allowed script srcs. This is a bad idea. Whitelisting an entire CDN makes a content security policy pointless.
2) Developer must override library definition to provide a local path to the library.

I wonder if there is a better way to support using a local copy of the library?

✨ Feature request
Status

Needs work

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States bkosborne New Jersey, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !1Issue #3082195: Support loading ACE editor locally w/o CDN β†’ (Open) created by ruslan piskarov
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bkosborne New Jersey, USA

    Hmm I think it goes beyond just replacing the library path to load from a local version instead of the CDN, because the this module's asset_injector.ace_editor.js currently includes the following hardcoded:

              ace.config.set('basePath', '//cdnjs.cloudflare.com/ajax/libs/ace/1.8.1');
          ace.config.set('modePath', '//cdnjs.cloudflare.com/ajax/libs/ace/1.8.1');
          ace.config.set('themePath', '//cdnjs.cloudflare.com/ajax/libs/ace/1.8.1');

    I think these three lines are only necessary if you're loading it from the CDN. This can probably be solved if we pass down via drupalSettings if the module used the CDN or not to load the main library, and if not, don't run these lines.

  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bkosborne New Jersey, USA

    Okay, I was wrong, we need those lines regardless, because without them the library tries to auto-detect the path to those directories and it doesn't work if JS aggregation is turned on.

    So, if the ace-builds version of the library is used (and stored locally), we need to provide its path via drupalSettings

  • Pipeline finished with Success
    4 months ago
    Total: 163s
    #249197
  • Pipeline finished with Success
    4 months ago
    Total: 165s
    #249212
  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany tobiasb Berlin

    I updated the MR for the latest changes.

  • Status changed to Needs review 4 months ago
  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany tobiasb Berlin
  • Status changed to Needs work 4 months ago
  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Thanks @tobiasb - the README says

    is taken from CDN as long as no min.js file exists

    but I can't see related code, what am I missing?

    Also see #18 - looks like hook_library_info_alter() and other parts like the tests are still missing?
    The referenced issue is a nice template.

  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany tobiasb Berlin

    Therefore it was "needs work". :d

  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Wasn't :P

    See #25 + #26

    Status: Needs review Β» Needs work

    Eventually by accident ;) All good

  • Comment 2 months ago β†’
    πŸ‡©πŸ‡ͺGermany danielehrenhofer Frankfurt

    Due to our content security policy, loading external resources, e.g. via a CDN, is prohibited. As a result, I have now noticed that ace.js appears to be loading the resource mode-css.js via a CDN: https://cdnjs.cloudflare.com/ajax/libs/ace/1.8.1/mode-css.js

    Is this known and can it be prevented somehow?

    For better illustration I have added a screenshot of my developer console.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024