Content Security Policy and SunEditor #1572
Description
In my application, I need a strict Content Security Policy (CSP). When SunEditor launches, I get many errors that look something like this: "font.js:55 Refused to apply inline style because it violates the following Content Security Policy directive ... Either the 'unsafe-inline' keyword, a hash ('sha256-LttVSYb0PvaQoOpWwflrInBIsphdL8JMPhZkl8PNA08='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present."
I have tried adding the suggested hash to my CSP, but it seems that this hash is regenerated on each page load and I don't know how to change that.
My code generates a nonce that I would be glad to inject into SunEditor, if only I knew how. It seems that SunEditor uses Webpack, which allows for such injection, but only in the so-called "entry file," which could be index.js or equivalent. More on the requirements are here:
https://webpack.js.org/guides/csp/
It would be helpful to have an option in SunEditor.create into which I could write my nonce, and then have the script take care of the rest. Of course, I could be missing some easy solution, and if so, I'd appreciate any help.
Many thanks.