1

I had a text editor in my react app, everything until now was working perfect, until I decided to add Content-Security-Policy in my app. Then my Text Editor stoped working. So I put this meta tag inside my head tag

 <meta http-equiv="Content-Security-Policy" content="script-src 'self' https://cdn.tiny.cloud/1/MY-API-KEY/tinymce/5/tinymce.min.js 'unsafe-eval' ">

but still is not working, what am I missing ? I am also getting this error in console

tinymce.min.js:4 Refused to load the script 'https://cdn.tiny.cloud/1/API-KEY/tinymce/5.10.2-126/themes/silver/theme.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://cdn.tiny.cloud/1/API-KEY/tinymce/5/tinymce.min.js 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Jose A.
  • 483
  • 2
  • 7
  • 15
  • 3
    Have you tried following the TinyMCE documentation for this? https://www.tiny.cloud/docs/advanced/security/#configuringcontentsecuritypolicycspfortinymce – newso Jan 17 '22 at 23:46
  • thank you, I think this is very useful – Jose A. Jan 18 '22 at 15:20

1 Answers1

0

A full URL is not an allowed source, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src. You should only include the host or IP, but you can optionally include the scheme and the port.

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9