Trusted Types API violation fix #5561
Conversation
rafaelhovhannisyan24
requested review from
bdbch and
svenadlung
as code owners
|
✅ Deploy Preview for tiptap-embed ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
@nperez0111 I also had same issue and seems @rafaelhovhannisyan24(thank you) fixed it on this pr - #5561 |
| if (window.trustedTypes) { | ||
| // @ts-ignore | ||
| // eslint-disable-next-line no-undef | ||
| policy = window.trustedTypes.createPolicy('tiptap', { |
There was a problem hiding this comment.
This doesn't make sense on why it's being repeated
| @@ -12,7 +12,7 @@ export function createStyleTag(style: string, nonce?: string, suffix?: string): | |||
| } | |||
|
|
|||
| styleNode.setAttribute(`data-tiptap-style${suffix ? `-${suffix}` : ''}`, '') | |||
| styleNode.innerHTML = style | |||
There was a problem hiding this comment.
Is this actually equivalent?
| export function elementFromString(value: string): HTMLElement { | ||
| // add a wrapper to preserve leading and trailing whitespace | ||
| const wrappedValue = `<body>${value}</body>` | ||
| const wrappedValue = policy.createHTML(`<body>${value}</body>`) |
There was a problem hiding this comment.
Does prosemirror support this because I am not willing to use this if prosemirror does not even support this.
A link to the source would be enough to convince me. Probably in prosemirror view since that touches the DOM
Fix for Trusted Types Issue with TipTap on YouTube
YouTube recently enforced a stricter Content Security Policy with Trusted Types, causing TipTap to stop working in our Chrome extension. The issue arose because Trusted Types restrict certain operations like innerHTML, which TipTap relies on.
Solution:
We implemented a custom Trusted Types policy that allows TipTap to function correctly within YouTube's security framework. This fix involves defining and applying a policy that permits the necessary unsafe operations while maintaining security.
https://web.dev/articles/trusted-types#fix_the_violations