Quill: Code does not comply with Content-Security-Policy when 'unsafe-inline' is not present.

Created on 21 Oct 2014 · 7Comments · Source: quilljs/quill

I am currently using Quill on one of my apps that I will be releasing this week.

The app using a very strict CSP header (currently in Report-Only mode), which disallows unsafe-inline. The CSP header emits an error when Quill calls addStyles(...).

Source

kevinmartin

👍1

Most helpful comment

That style config link is no longer valid. What's the most current way to handle this?

timshannon on 29 Aug 2018

👍4

All 7 comments

This issue is also present with the icons inserted with data-uri's, but I was able to fix it by adding data: to the img-src section.

kevinmartin on 21 Oct 2014

Can you include the exact header?

jhchen on 23 Oct 2014

Sure:

Content-Security-Policy-Report-Only:default-src 'self';script-src 'self' 'unsafe-eval' https://maps.googleapis.com https://maps.gstatic.com http://google-maps-utility-library-v3.googlecode.com https://ajax.googleapis.com http://cdnjs.cloudflare.com https://mts1.googleapis.com http://fonts.googleapis.com http://mt1.googleapis.com http://maps.gstatic.com/mapfiles http://googleapis.com;object-src 'self';img-src 'self' data: https://dpbob3sbronwq.cloudfront.net https://maps.gstatic.com https://mts0.googleapis.com https://mts1.googleapis.com https://maps.googleapis.com https://csi.gstatic.com http://mt1.googleapis.com;media-src 'self';frame-src 'self';font-src 'self' http://fonts.gstatic.com https://fonts.gstatic.com http://maxcdn.bootstrapcdn.com;connect-src 'self';style-src 'self' http://fonts.googleapis.com https://fonts.googleapis.com http://maxcdn.bootstrapcdn.com;report-uri /api/csp

kevinmartin on 23 Oct 2014

You can now pass in false to the style config to prevent Quill from adding style tags.

jhchen on 7 Nov 2014

👎1

That style config link is no longer valid. What's the most current way to handle this?

timshannon on 29 Aug 2018

👍4

@jhchen What's the solution for the current Quill version to prevent inline style?