Code does not comply with Content-Security-Policy when 'unsafe-inline' is not present.

[kevinmartin]

I am currently using Quill on one of my apps that I will be releasing this week.

The app using a very strict CSP header (currently in Report-Only mode), which disallows unsafe-inline. The CSP header emits an error when Quill calls addStyles(...).

[kevinmartin]

This issue is also present with the icons inserted with data-uri's, but I was able to fix it by adding data: to the img-src section.

[jhchen]

Can you include the exact header?

[kevinmartin]

Sure:

Content-Security-Policy-Report-Only:default-src 'self';script-src 'self' 'unsafe-eval' https://maps.googleapis.com https://maps.gstatic.com http://google-maps-utility-library-v3.googlecode.com https://ajax.googleapis.com http://cdnjs.cloudflare.com https://mts1.googleapis.com http://fonts.googleapis.com http://mt1.googleapis.com http://maps.gstatic.com/mapfiles http://googleapis.com;object-src 'self';img-src 'self' data: https://dpbob3sbronwq.cloudfront.net https://maps.gstatic.com https://mts0.googleapis.com https://mts1.googleapis.com https://maps.googleapis.com https://csi.gstatic.com http://mt1.googleapis.com;media-src 'self';frame-src 'self';font-src 'self' http://fonts.gstatic.com https://fonts.gstatic.com http://maxcdn.bootstrapcdn.com;connect-src 'self';style-src 'self' http://fonts.googleapis.com https://fonts.googleapis.com http://maxcdn.bootstrapcdn.com;report-uri /api/csp

[jhchen]

You can now pass in false to the style config to prevent Quill from adding style tags.

[timshannon]

That style config link is no longer valid. What's the most current way to handle this?

[binarious]

@jhchen What's the solution for the current Quill version to prevent inline style?

[Gladskih]

@jhchen May be we should go back to iframe for sandboxing unsafe Quill?