Content Security Policy

CKEditor 5 is compatible with applications that use CSP rules and helps developers build a secure web.

# Recommended CSP configuration

The recommended CSP configuration that allows the rich-text editor to run out–of–the–box with all standard features using the content like images or media from external hosts looks as follows:

default-src 'none'; connect-src 'self'; script-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-src *

# Impact of CSP on editor features

Some CSP directives have an impact on certain rich-text editor features. Here is the round-up of directives and their specific roles in the editor:

default-src 'none': Resets the policy and blocks everything. All successive directives work as a whitelist. By itself, as long as it is followed by other directives, it has no impact on the editor.
connect-src 'self'
- Allows the editor upload features to use XMLHttpReqests (Ajax) to upload files to the server, for instance, when an image is pasted or dropped into the editor content. The 'self’ value ensures the requests remain within the same host.
- Allows auto–saving editor data using XMLHttpRequest.
Note: To use CKEditor Cloud Services, include the http://*.cke-cs.com domain in the connect-src directive, for instance: connect-src 'self' http://*.cke-cs.com.
script-src 'self': Allows the execution of JavaScript from the current host only and can be applied only if the CKEditor 5 script file (<script src="[ckeditor-build-path]/ckeditor.js"></script>) is also served from that host.

Note: If CKEditor 5 is served from another host, for example the official CDN, make sure the value of script-src includes that host (script-src 'self' https://cdn.ckeditor.com).
img-src * data:
- The * directive value allows images in the editor content to come from any hosts.
- The data: value allows:
  - Pasting images from the clipboard and from MS Office into the editor content. Pasted images are usually represented as Base64–encoded strings (<img src="data:..." />) and without data: they cannot be displayed and uploaded.
  - Displaying the media embed feature placeholders for the inserted media.
Note: Use the more strict img-src 'self' if all images in the editor content are hosted from the same domain and you do not want to enable the media embed and paste from Word features.
style-src 'self' 'unsafe-inline': 'unsafe-inline' is necessary for:
- webpack’s style-loader to load the editor UI styles.
Note: You can extract styles to a separate .css file during the editor building process and remove this directive.
- Certain editor content styles to work properly. For instance, you are going to need it if you want to enable such editor features as font or text alignment or any other feature that uses inline style="..." attributes in the content.
frame-src *: Necessary for the media embed feature to load media with previews (containing <iframe>).

Note: Use the more strict frame-src 'self' if all the media in the edited content come from the same domain as your application.

A different set of Content Security Policy directives might be necessary to run CKFinder along with CKEditor 5. Check out the file manager documentation to learn more.

# Strictest working configuration

Knowing the role of each directive, the strictest set of rules that allows CKEditor 5 to run is as follows:

default-src 'none'; connect-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'

This comes with some trade–offs, though. For example, it requires you to:

Use an editor build with the styles extracted to a separate .css file (no style-loader).
Load images in the content from the same host.
Load previewable media in the content from the same host.
Give up certain features that use inline styles like font or text alignment.
Give up pasting images from the clipboard or from Office.

Every day, we work hard to keep our documentation complete. Have you spotted outdated information? Is something missing? Please report it via our issue tracker.