Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TrustedTypes-Violation when pasting #1493

Closed
REPLicated opened this issue Nov 5, 2024 · 3 comments
Closed

TrustedTypes-Violation when pasting #1493

REPLicated opened this issue Nov 5, 2024 · 3 comments

Comments

@REPLicated
Copy link

Unfortunately, event after #1485, prosemirror does not properly support the TrustedTypes mechanism when using a restrictive Content-Security-Policy.

In Chrome-based browsers (e.g. Edge 130.0 on Linux or Windows), pasting links into the editor may produce CSP-violation errors in the console and the link is then not recognized as such. I am not sure why this does not always happen but sometimes requires several attempts to reproduce.

The resulting error:

ERROR TypeError: Failed to execute 'createPolicy' on 'TrustedTypePolicyFactory': Policy "detachedDocument" disallowed.
    at maybeWrapTrusted (index.js:2963:25)
    at readHTML (index.js:2973:21)
    at parseFromClipboard (index.js:2814:15)
    at doPaste (index.js:3614:17)
    at push.72677.editHandlers.paste (index.js:3643:17)
    at view.dom.addEventListener.view.input.eventHandlers.<computed> (index.js:3052:17)

This happens because we have a strict CSP that defines trusted-types angular foobar default; require-trusted-types-for 'script'; , i.e. only policies with names angular, foobar and default are allowed to be created and used. It took me some time find the code responsible for the violation, since the policy used by prosemirror is called detachedDocument. Suggestion: Could it be renamed to e.g. prosemirror or proseMirrorClipboardParsing so that source of the policy violation can be better identified?

Having identified the issue, I added detachedDocument to the ``trusted-types` of the CSP header, expecting link pasting to work. However, we then get another error:

ERROR TypeError: Failed to execute 'createPolicy' on 'TrustedTypePolicyFactory': Policy with name "detachedDocument" already exists.
    at maybeWrapTrusted (index.js:2963:25)
    at readHTML (index.js:2973:21)
    at parseFromClipboard (index.js:2814:15)

It turns out that policies may only be created once (unless allow-duplicates is configured in the header, which significantly weakens the policy). This is is e.g. mentioned here: https://developer.mozilla.org/en-US/docs/Web/API/TrustedTypePolicyFactory/createPolicy#exceptions

Could you create the policy once and use it thereafter (reading it from a property/variable somewhere)?
marijnh added a commit to ProseMirror/prosemirror-view that referenced this issue Nov 5, 2024
@marijnh
Reuse single TrustedTypePolicy object
efd8767 
FIX: Don't recreated `TrustedTypePolicy` objects for every paste.

Issue ProseMirror/prosemirror#1493
@marijnh
Copy link
Member

marijnh commented Nov 5, 2024

Could you verify that something like attached patch solves this problem?

@REPLicated
Copy link
Author

Using the patch, I can no longer reproduce the error. Thank you.

How do you feel about renaming the created policy to be clearly associated with ProseMirror?

@marijnh
Copy link
Member

marijnh commented Nov 5, 2024

Yeah, that's probably a good idea. I've switched to "ProseMirrorClipboard" and tagged a 1.36.0.

@marijnh marijnh closed this as completed Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marijnh @REPLicated