使用没有 style-src 'unsafe-inline' 的 ACE Web-Editor

Question

I would like to use the ACE-Editor: https://ace.c9.io and also CSP (content-security-policy). At the moment the ACE-Editor is just working, when I allow the unsafer inline styling: style-src 'unsafe-inline'.

Is there a way to use the Ace Editor without inline styling? (I downloaded the ace.js file from https://ace.c9.io )

My Code:

<body>
<script src="{{url_for('static', filename='ace.js')}}" type="text/javascript" charset="utf-8"></script>

<h2>Code editor</h2>

<br>

<button type="button" class="btn btn-primary btn-lg" id="edit_code">Edit</button>
<button type="button" class="btn btn-primary btn-lg" id="SendCode">Send to server</button>
<br> <br>

<div class="editor" id="editor">
import math

def foo(): 
    x = "All this is syntax highlighted"
    return x

print(foo())
</div> 

<script src="{{ url_for('static', filename='code_editor.js') }}"></script>
</body>

the content of the code_editor.js file:

document.addEventListener('DOMContentLoaded', function () {

    class CodeEditor {
        constructor() {
            this.editor = ace.edit("editor");
            this.editor.setTheme("ace/theme/twilight");
            this.editor.session.setMode("ace/mode/python");
        }

        activate_edit_mode() {
            this.editor.setReadOnly(false);
            document.getElementById("SendCode").disabled = true;
        }

        post_code() {
            // Sends the working code to the server backend,
            // from here it gets inserted into the queque

            var arr = { python_code: this.editor.getValue()};
            $.ajax({
                url: '/login/receiver',
                type: 'POST',
                data: JSON.stringify(arr),
                contentType: 'application/json; charset=utf-8',
                dataType: 'json', // # expected return data type
                async: false,
                success: function successor(){
                    alert("Data was succesfully sended to the server!");
                    },
                error: function(jqXhr, textStatus, errorMessage){
                alert("Error: "+ errorMessage);
                    }

                });
                // stop link reloading the page
                event.preventDefault();
        }       

    };

    const code_editor = new CodeEditor();
    code_editor.activate_edit_mode();
    // Code editor functions

    function post_code() {
        code_editor.post_code();
    }

    function make_ace_editable() {
        code_editor.activate_edit_mode();
    }

    // Button interactions
    document.getElementById("SendCode").addEventListener("click", post_code);
    document.getElementById("edit_code").addEventListener("click", make_ace_editable);
})

Thanks for the help in advance!

Answer 1

Ace Editor uses 2 kinds of inline styles:

• '' blocks for color theme, injected by script
• style= attribute in tags like <div style='...'> and <textarea style='..'>

Theoretically you can to calc sha256 hashes for such inline styles and do allow those via 'hash-source' + 'unsafe-hashes', but this will applicable for specific Ace version, color theme and language highlighting.
The question is what to do with browsers not support 'unsafe-hashes'? 'unsafe-inline' will be cancelled by 'hash-source' therefore Editor will not operate in those browsers.

Alternatively you can place Ace Editor into sandboxed <iframe> and use less restrictive CSP in it.

But main question is still arised - what to do with unsafe-eval in scripts of Ace? In Firefox browsers Call to eval() or related function blocked by CSP violation occurs , in Chrome - does not.
Ace Editor do really use unsafe eval constructs, but inside workers. Chrome and FF have different behaviour related CSP violations for this case.
Although visually the editor works in FF even with locked eval