Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix(site): Fix CSP directives for monaco#6709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
BrunoQuaresma merged 1 commit intomainfrombq/monaco-local
Mar 21, 2023
Merged

Conversation

BrunoQuaresma
Copy link
Collaborator

Closes#6590

@BrunoQuaresmaBrunoQuaresma requested a review froma teamMarch 21, 2023 19:37
@BrunoQuaresmaBrunoQuaresma self-assigned thisMar 21, 2023
@BrunoQuaresmaBrunoQuaresma requested review fromKira-Pilot and removed request fora teamMarch 21, 2023 19:37
@BrunoQuaresmaBrunoQuaresmaenabled auto-merge (squash)March 21, 2023 19:45
@BrunoQuaresmaBrunoQuaresma requested a review froma teamMarch 21, 2023 19:45
@BrunoQuaresmaBrunoQuaresma merged commit5cbe360 intomainMar 21, 2023
@BrunoQuaresmaBrunoQuaresma deleted the bq/monaco-local branchMarch 21, 2023 19:51
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMar 21, 2023
@@ -326,7 +326,8 @@ func cspHeaders(next http.Handler) http.Handler {
CSPDirectiveScriptSrc: {"'self' https://cdn.jsdelivr.net"},
CSPDirectiveStyleSrc: {"'self' 'unsafe-inline' https://cdn.jsdelivr.net"},
// data: is used by monaco editor on FE for Syntax Highlight
CSPDirectiveFontSrc: {"'self' data:"},
CSPDirectiveFontSrc: {"'self' https://cdn.jsdelivr.net data:"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

cc@Emyrk

@BrunoQuaresma we can't import external assets like this, because we're self-hosted customers might be airgapped.

Copy link
CollaboratorAuthor

@BrunoQuaresmaBrunoQuaresmaMar 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yes, I'm aware of it. Since we are already doing it I added it as a quick fix. In the past, I tried to make Monaco editor work with local file but it didn't work. I will give it a try again during the week. If we are not able to get this working, we may need a plan.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Ahh, I see! That's helpful context.

Customers will likely see this come up in security scans, becauseI believe users can host anything onjsdelivr, so an XSS attack becomes possible with this in product.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Good to know about jsdeliver. We can match specific files, eg:

https://cdn.jsdelivr.net/the/file/we/want

Copy link
CollaboratorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I totally agree. I think would be very hard to track files individually.

Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@EmyrkEmyrkEmyrk left review comments

@kylecarbskylecarbskylecarbs left review comments

@Kira-PilotKira-PilotKira-Pilot approved these changes

Assignees

@BrunoQuaresmaBrunoQuaresma

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

template editor: some editor icons do not show up
4 participants
@BrunoQuaresma@Emyrk@kylecarbs@Kira-Pilot
[8]ページ先頭
©2009-2025 Movatter.jp