add support for CSP nonces in createStyleTag #2601
Conversation
|
✔️ Deploy Preview for tiptap-embed ready! 🔨 Explore the source changes: 86200e9 🔍 Inspect the deploy log: https://app.netlify.com/sites/tiptap-embed/deploys/62262921f3813700072881ae 😎 Browse the preview: https://deploy-preview-2601--tiptap-embed.netlify.app |
|
Isn’t your issue solved with |
|
@cadars Well that fixes the CSP issue, but then I have to manually copy the styles from tiptap's style typescript file into my stylesheet, and keep it up-to-date with every tiptap update. As the styles are in said typescript file and not a css file, they can't be directly included in the application bundle. Adding the CSP nonce would allow users to keep using the latest tiptap CSS automatically. |
|
Thanks, looks good to me! |
Hi,
I noticed that tiptap injects a style element into the page's
head. This breaks when using a Content Security Policy that disallowsunsafe-inline, as there is currently no way to add anonceto the dynamic style element.As the injected CSS is in a typescript file and not a CSS file, there is no easy way to include it in the application bundle, and it differs from the default
prosemirror.css.To resolve this, I added an option called
injectNonceto tiptap which, when set, adds anonceattribute to the dynamic style element.Another solution would of course be to refactor the style into a CSS file which can be imported alongside tiptap, avoiding the dynamic element entirely, but that would probably require more code changes.
Additionally, the
injectNonceoption could be handy if any other dynamic injection of styles or scripts is required in the future.I'm open to discussion, but it would be great if we could use this amazing editor with a CSP!