Live preview does not udpate with Seckit module configured.

Excellent find, thanks!

We should have a test that reproduces this, to ensure XB indeed works on sites with Content-Security-Policy active.

Ideally, that test wouldn't require installing the seckit module, but we could make that work — see 📌 Page has Metatag integration Active for how we added a test for XB + metatag, without making XB depend on it.

I have created a simple component which has a Heading text

Is this an SDC? Is this the existing experience_builder:heading SDC?

I have created a component from scratch through XB. Attached screenshot about example.

wim leers → credited balintbrews → .

#3: Ah, that makes a ton more sense: it's a code component. I suspected it, but couldn't be certain based on the issue summary. Cool, then we'll be able to reproduce this easily.

I hear from @balintbrews that there's been chats about this problem space, and that @mglaman has additional detail to share, as well as @effulgentsia. Since Matt is further east than Alex, assigning to him first.

AFAICT this has been (largely?) solved elsewhere?

@balintbrews, can you give us an update? 😇🙏

📌 Do not inline script for code editor preview Active was our immediate response, but it didn't fix everything. E.g. we still use the blob URI scheme, which still may not be great when it comes to strict CSP configurations.

@attilatilman, what is the current config you're using?

Thanks!

This seems like a stable blocker? 😇

Or even 🌱 Milestone 1.0.0-beta1: Start creating non-throwaway sites Active .

Per discussion with @lauriii, this doesn't have to block beta1, but it would be good to resolve early in the beta phase.

We're not targeting this for beta anymore. I'd still like to resolve it relatively soon after beta1, but the "stable blocker" tag plus Major priority is enough to keep this on our radar for that.

@balintbrews You asked for an example configuration for Seckit. I am really sorry, but somehow I missed your message, but I am adding it here now:

seckit_xss:
  csp:
    checkbox: true
    vendor-prefix:
      x: false
      webkit: false
    report-only: false
    default-src: "'self' https:"
    script-src: "'self' https: 'sha256-hash'"
    object-src: ''
    style-src: "'self' https: 'unsafe-inline'"
    img-src: 'https: data:'
    media-src: ''
    frame-src: "'self' https:"
    frame-ancestors: "'self'"
    child-src: ''
    font-src: ''
    connect-src: ''
    report-uri: /report-csp-violation
    upgrade-req: false
    policy-uri: ''
  x_xss:
    select: 0
    seckit_x_xss_option_disable: Disabled
    seckit_x_xss_option_0: '0'
    seckit_x_xss_option_1: 1;
    seckit_x_xss_option_1_block: '1; mode=block'
seckit_csrf:
  origin: false
  origin_whitelist: ''
seckit_clickjacking:
  js_css_noscript: false
  noscript_message: 'Sorry, you need to enable JavaScript to visit this website.'
  x_frame: '1'
  x_frame_allow_from: ''
seckit_ssl:
  hsts: false
  hsts_subdomains: false
  hsts_max_age: 1000
  hsts_preload: false
seckit_ct:
  expect_ct: false
  max_age: 86400
  report_uri: ''
  enforce: false
seckit_fp:
  feature_policy: false
  feature_policy_policy: ''
seckit_various:
  from_origin: false
  from_origin_destination: same
  referrer_policy: true
  referrer_policy_policy: strict-origin-when-cross-origin
  disable_autocomplete: false

If we don't get to this before stable, we will document this in known issues and recommend way to workaround this.