Trix injects a couple of inline <style> blocks into the page <head>: one for the editor itself, and another for the toolbar. Neither block includes a nonce attribute; consequently, the CSP must include 'unsafe-inline' in the style-src directive.
It would be nice to be able to either:
nonce attributes for its inline style blocks, or...<style> blocks altogetherMaybe I'm missing the point, but these <style> blocks appear not to contain anything that could not be factored out into the existing trix.css external stylesheet.
<style> blocks that Trix has injectedHey @spdawson, thanks for the report!
Maybe I'm missing the point, but these
<style>blocks appear not to contain anything that could not be factored out into the existingtrix.cssexternal stylesheet.
The inline <style> styles are for crucial core functionality and behavior. Without them, the editor may not behave correctly. The trix.css are optional and purely decorative. So, that's the reason they're separate. Technically you're correct, the inline styles could be moved to an external .css file.
I see a couple options:
Trix.config option to disable the inline styles and offer them as a .css file alternative.nonce to use for its <style> tags, possibly as a <meta name="trix-style-nonce" content="..."> tag. Might look something like:```diff
--- a/src/trix/core/helpers/custom_elements.coffee
+++ b/src/trix/core/helpers/custom_elements.coffee
@@ -35,9 +35,15 @@ insertStyleElementForTagName = (tagName) ->
element = document.createElement("style")
element.setAttribute("type", "text/css")
element.setAttribute("data-tag-name", tagName.toLowerCase())
+ if nonce = getNonceForStyleElement()
+ element.setAttribute("nonce", nonce)
document.head.insertBefore(element, document.head.firstChild)
element
+getNonceForStyleElement = ->
+ if element = document.head.querySelector("meta[name=trix-style-nonce]")
+ element.getAttribute("content")
+
```
This issue has been automatically marked as stale after 90 days of inactivity. It will be closed if no further activity occurs.
This should not have been marked as stale (as in: it has not been resolved)
It seems not fixed. Is there any plan to fix this in Trix?
This issue has been automatically marked as stale after 90 days of inactivity. It will be closed if no further activity occurs.
It's not stale.
Just ignored @SleeplessByte
Closed via https://github.com/basecamp/trix/pull/698