Giters

suren-atoyan / monaco-react

Monaco Editor for React - use the monaco-editor in any React application without needing to use webpack (or rollup/parcel/etc) configuration files / plugins

Home Page:https://monaco-react.surenatoyan.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Propagate CSP to child scripts like vscode-loader

madhukivera opened this issue · comments

commented

Describe the bug
We are unable to add CSPs for Monaco React because the underlying monaco-editor uses inline style injections. While there is a long lasting issue microsoft/monaco-editor#271 to ask for Monaco Editor itself to support CSPs, they have been ignoring it for a long time.

Meanwhile the vscode-loader had made a workaround to propagate nonce to all child elements microsoft/vscode-loader#15

Some one even tried to add hashes, but it seems Monaco uses them dynamically on each load and there is no point to adding them:
microsoft/monaco-editor#271 (comment)

We need this to be implemented in monaco-react/loader

To Reproduce

  1. Add CSP
  2. See the styles break
  3. Add unsafe-inline
  4. See everything working