jsoneditor icon indicating copy to clipboard operation
jsoneditor copied to clipboard
verified publisher icon josdejong

Remove Data URLs from code

Open thernstig opened this issue 4 years ago • 5 comments

In this piece of code a data URL is used:

https://github.com/josdejong/jsoneditor/blob/e69a835f721bab6824b65f3d13717a20ff7d81f7/src/js/ace/theme-jsoneditor.js#L138

This requires applications using Content Security Policy directives with full restrictions to allow data: as described here and here.

https://security.stackexchange.com/questions/94993/is-including-the-data-scheme-in-your-content-security-policy-safe discusses if data: is safe or not. One answer suggests it has never been proven to be unsafe, even though multiple articles mentions it is.

To be better safe than sorry many applications forbid data: and only allow the 'self' as the CSP source.

Would it be possible to put the SVG in an external file and instead bundle it that way? I.e. as a real URL to the .svg. It's also nice in the sense that users can actually open the SVG in the src in this repo to see what it looks like 😄

thernstig avatar Feb 05 '22 11:02 thernstig

Thanks for your suggestion. If possible it would be nice to adhere to these security policy. They are at odds though with "ease of use" I'm afraid. Having a single js bundle with everything contained "just works". Having JavaScript/CSS files referring to external files gives issues with wrong (relative) paths when trying to use a library.

Besides the embedded images, JSONEditor itself adds an embedded version of web worker code for JSON validation in the Ace editor to it's bundle. This was done because many people had issues getting the web worker working in their projects (issues with bundlers, wrong relative paths, the worker having to be copied somehow in the files of their build, etc)

I suppose we could create a build that does not bundle the images and worker. It maybe a challenge to make this build workable/consumable by various bundlers and setups. Anyone interested in doing an experiment with this?

josdejong avatar Feb 09 '22 10:02 josdejong

Would external files being relative to your own bundle be a problem? If I install the package it should reside in node_modules/jsoneditor/some.svg and then any import made from node_modules/jsoneditor/index.js as import svg from './some.svg' should just work, no?

thernstig avatar Feb 09 '22 15:02 thernstig

Yes probably.

josdejong avatar Mar 01 '22 08:03 josdejong

Related: https://github.com/ajaxorg/ace/issues/3307

josdejong avatar May 19 '22 14:05 josdejong

@josdejong looking at that, it actually seems solved in ace-builds 1.4.13, and the latest version of jsoneditor uses 1.4.14.

Let me verify if this is fixed in the latest version.

thernstig avatar May 19 '22 15:05 thernstig