Contrib.social

CKEditor breaks due to incompatibility with Security Kit caused by unsafe code eval

Open on Drupal.org β†’
Created on 26 September 2024, 6 months ago

Problem/Motivation

Using this module in combination with the Security Kit (SecKit) module and a Content Security Policy (CSP) prevents CKEditor from loading. The issue stems from the compiled JavaScript code for the accordion functionality, which utilizes eval() to execute the code. In production, the JavaScript is compiled in such a way that it relies on eval(), which is flagged as unsafe by CSP. As a result, the browser blocks the execution of this code for security reasons, preventing the CKEditor from loading at all.

Steps to reproduce

  1. Enable the CKEditor Accordion
  2. Install and enable the Security Kit
  3. Under Security Kit `/admin/config/system/seckit` > `Cross-site Scripting` > `Content Security Policy` check `Send HTTP response header` and add `script-src` to script-src
  4. Add accordion to the basic HTML format
  5. Then see that the script doesn't trigger as it fails the security policy and is deemed unsafe

Proposed resolution

Set the webpack configuration option "devtool" to something safer than eval(), such as 'source-map' or 'none'.

Remaining tasks

Review patch.

πŸ› Bug report
Status

Needs review

Version

2.2

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom jnpwebdeveloper

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024