WEBPACK ISSUE: Rich text editor fails to load on sites with tight CSP policy

Created on 13 September 2024, 2 months ago

Problem/Motivation

Sites running this module will have their CKEditor possibly broken if the site don't allow "eval" javascript due to a tight Content Security Policy. This is caused by the modules' built webpack assets that use eval to load code internally. This is a known webpack issue, but might alternately be caused by shipping dev versions of the javascript builds.

Sample CSP browser error:
"Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive...........(*snip* entire CSP policy) (Missing 'unsafe-eval') "

Webpack references to the issue:
https://github.com/webpack/webpack/discussions/18073
https://github.com/webpack/webpack-dev-server/pull/5045/commits

This should be fixed in webpack-dev-servr 5.x branch .
https://github.com/webpack/webpack-dev-server/releases/tag/v5.0.1

Steps to reproduce

Remove the ability to eval javascript using CSP policy (multiple CSP helper tools on the web exist).

Proposed resolution

Rebuild assets using a version of webpack that does not have the eval problem, or rebuild assets in webpack mode suitable for production use without "eval" allowed.

Remaining tasks

Rebuild assets using a version of webpack that does not have the eval problem.

User interface changes

None

API changes

None

Data model changes

Note

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇩🇪Germany yareckon

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @yareckon
Comment 2 months ago →
🇩🇪Germany yareckon
Comment 2 months ago →
🇩🇪Germany yareckon

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024