From f159366a63ce9bc65f7f5e18b7461eb50ab5bd37 Mon Sep 17 00:00:00 2001
From: Chris Snyder <7679-chrissnyder@users.noreply.drupalcode.org>
Date: Wed, 13 Dec 2023 08:13:54 +0000
Subject: [PATCH] Issue #3386187 by ChrisSnyder, gapple: CKEditor5 requires
 style-src 'unsafe-inline'

---
 src/EventSubscriber/CoreCspSubscriber.php | 32 ++++++++++++++++++-----
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/EventSubscriber/CoreCspSubscriber.php b/src/EventSubscriber/CoreCspSubscriber.php
index 13bbea2..3a03e3a 100644
--- a/src/EventSubscriber/CoreCspSubscriber.php
+++ b/src/EventSubscriber/CoreCspSubscriber.php
@@ -82,12 +82,29 @@ class CoreCspSubscriber implements EventSubscriberInterface {
         $policy->fallbackAwareAppendIfEnabled('style-src-elem', [Csp::POLICY_UNSAFE_INLINE]);
       }
 
-      // Quickedit loads ckeditor after an AJAX request, so alter needs to be
-      // applied to calling page.
-      $quickedit = in_array('quickedit/quickedit', $libraries) && $this->moduleHandler->moduleExists('ckeditor');
+      // Libraries that load an editor after an AJAX request need their
+      // exceptions applied to the calling page.
+      $ajaxEditorLoader = (
+        in_array('layout_builder/drupal.layout_builder', $libraries)
+        || in_array('quickedit/quickedit', $libraries)
+      );
 
-      // CKEditor requires script attribute on interface buttons.
-      if (in_array('core/ckeditor', $libraries) || $quickedit) {
+      // CKEditor5 requires inline styles for interface.
+      // @see https://ckeditor.com/docs/ckeditor5/latest/installation/advanced/csp.html
+      if (
+        in_array('core/ckeditor5', $libraries)
+        || ($ajaxEditorLoader && $this->moduleHandler->moduleExists('ckeditor5'))
+      ) {
+        $policy->fallbackAwareAppendIfEnabled('style-src', [Csp::POLICY_UNSAFE_INLINE]);
+        $policy->fallbackAwareAppendIfEnabled('style-src-attr', [Csp::POLICY_UNSAFE_INLINE]);
+        $policy->fallbackAwareAppendIfEnabled('style-src-elem', [Csp::POLICY_UNSAFE_INLINE]);
+      }
+
+      // CKEditor4 requires script attribute on interface buttons.
+      if (
+        in_array('core/ckeditor', $libraries)
+        || ($ajaxEditorLoader && $this->moduleHandler->moduleExists('ckeditor'))
+      ) {
         $policy->fallbackAwareAppendIfEnabled('script-src-elem', []);
         $policy->fallbackAwareAppendIfEnabled('script-src', [Csp::POLICY_UNSAFE_INLINE]);
         $policy->fallbackAwareAppendIfEnabled('script-src-attr', [Csp::POLICY_UNSAFE_INLINE]);
@@ -95,7 +112,10 @@ class CoreCspSubscriber implements EventSubscriberInterface {
 
       // Inline style element is added by ckeditor.off-canvas-css-reset.js.
       // @see https://www.drupal.org/project/drupal/issues/2952390
-      if (in_array('ckeditor/drupal.ckeditor', $libraries) || $quickedit) {
+      if (
+        in_array('ckeditor/drupal.ckeditor', $libraries)
+        || ($ajaxEditorLoader && $this->moduleHandler->moduleExists('ckeditor'))
+      ) {
         $policy->fallbackAwareAppendIfEnabled('style-src', [Csp::POLICY_UNSAFE_INLINE]);
         $policy->fallbackAwareAppendIfEnabled('style-src-attr', [Csp::POLICY_UNSAFE_INLINE]);
         $policy->fallbackAwareAppendIfEnabled('style-src-elem', [Csp::POLICY_UNSAFE_INLINE]);
-- 
GitLab