Skip to content

feat: add nonce attribute for loading scripts with csp policy #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
felixmosh wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add nonce attribute for loading scripts with csp policy #554

felixmosh wants to merge 1 commit into from

Conversation

@felixmosh
Copy link

@felixmosh felixmosh commented Oct 7, 2024

closes #553

@felixmosh felixmosh requested a review from a team as a code owner October 7, 2024 18:37
@felixmosh felixmosh requested review from TheSpyder, ltrouton and spocke and removed request for a team October 7, 2024 18:37
@felixmosh
Copy link
Author

felixmosh commented Oct 8, 2025

?

tiny-ben-tran
tiny-ben-tran reviewed Nov 12, 2025
View reviewed changes
@tiny-ben-tran
Copy link
Collaborator

tiny-ben-tran commented Dec 5, 2025

@felixmosh Looking back at #553, it sounds like you're hoping to load TinyMCE with a nonce and have that nonce automatically applied to every script TinyMCE creates. If that's the case, unfortunately this PR won’t achieve that.

Even if that’s not the goal, this change still won’t allow you to enforce a strict CSP reliably, since TinyMCE dynamically injects additional scripts at init time (for plugins, skins, and other resources).

You may want to forward this as a feature request to the TinyMCE issue tracker
, as this would need to be addressed within the core editor.

For reference, Tiny has a useful guide on CSP considerations here:
TinyMCE CSP Guide

@felixmosh
Copy link
Author

felixmosh commented Dec 5, 2025

Usage of nonce for csp, is standard thing.
The spec says, if a script is loaded with nonce, every loaded script from it will be trusted.
So, there is no need to apply it to all loaded scripts...
Currently, I'm forced to allow entire cdn url... Which is wrong.

@tiny-ben-tran
Copy link
Collaborator

tiny-ben-tran commented Dec 5, 2025

Don't you also need to add strict-dynamic for trust to be propagated according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#strict-dynamic?

@felixmosh
Copy link
Author

felixmosh commented Dec 5, 2025

Yeap...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiny-ben-tran tiny-ben-tran tiny-ben-tran left review comments

@spocke spocke Awaiting requested review from spocke spocke is a code owner automatically assigned from tinymce/tinymce-reviewers

@TheSpyder TheSpyder Awaiting requested review from TheSpyder TheSpyder is a code owner automatically assigned from tinymce/tinymce-reviewers

@ltrouton ltrouton Awaiting requested review from ltrouton ltrouton is a code owner automatically assigned from tinymce/tinymce-reviewers

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Community PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add the nonce as a valid attibute for script loading

3 participants

@felixmosh @tiny-ben-tran @TheSpyder