Customize CSP for HTML preview #1510
Comments
|
Thank you for suggesting this. This might pose a security or privacy risk, and might trick users into doing things with unintended consequences. Therefore I'm sceptical. Please provide a more detailed example (possibly with code) showing which content can't be included. |
|
Might be related: #1508 |
|
My use case is embedding Structurizr diagrams to provide a live view with interactive exploration. This is done using iframes; see Embedding diagrams in the Structurizr docs. An example in AsciiDoc: In the IntelliJ JCEF preview, I see the following error in the dev console: As a workaround, instead of viewing it directly in the IntelliJ preview, I can convert my file to HTML and open it in a browser. |
|
Thank you for this example. The next version of the plugin adds |
|
The release 0.41.11 which includes this change will be available in the JetBrains marketplace later today. |
|
Allowing https://structurizr.com/ does not help if you have a custom on-prem installation of Structurizr, e.g. in a corporate network. I think a configurable allow list is desirable. Of course, as you said, this may pose a security or privacy risk if used incorrectly. Plus, this feature suggestion issue is just a nice-to-have from my point of view, as it is presumably seldom needed, and there is a workaround (open HTML in external browser). |
|
In any case, thank you very much, not only in this context, but in general for the great work and the continuous support of the entire plugin! |
Why the new feature should be added
As a user, I would like to add additional trusted sources to the CSP (Consent Security Policy). This would allow previewing pages with embedded content, e.g. from intranet sites in a corporate environment.
How the new feature should work
Add an option "Additional CSP frame sources" to the plugin settings. Its value shall be added to the CSP used by the HTML preview.
The text was updated successfully, but these errors were encountered: