Case ce-0074 · Scenario scenario-csp-restrictions

Content Security Policy may restrict contenteditable behavior

OS: Windows 11 Device: Desktop or Laptop Any Browser: Chrome 120.0 Keyboard: US Status: draft
csp security chrome windows

Phenomenon

When a page has a strict Content Security Policy (CSP), certain contenteditable operations may be restricted. Pasting content, executing scripts, or inserting HTML may be blocked depending on the CSP directives.

Reproduction example

  1. Create a page with a strict CSP header (e.g., default-src 'self').
  2. Create a contenteditable div on the page.
  3. Try to paste content from clipboard.
  4. Try to insert HTML programmatically.
  5. Observe any CSP violations or blocked operations.

Observed behavior

  • In Chrome on Windows, CSP may block certain contenteditable operations.
  • Pasting may be restricted if unsafe-inline is not allowed.
  • Script execution within contenteditable may be blocked.
  • CSP violations may be logged in the console.

Expected behavior

  • CSP should not interfere with basic contenteditable editing.
  • Pasting should work within CSP constraints.
  • Or, there should be clear documentation on CSP and contenteditable interaction.

Playground for this case

Use the reported environment as a reference and record what happens in your environment while interacting with the editable area.

Reported environment
OS: Windows 11
Device: Desktop or Laptop Any
Browser: Chrome 120.0
Keyboard: US
Your environment

Use this editable area to reproduce the described case.

Event log
Use this log together with the case description when filing or updating an issue.
0 events
Interact with the editable area to see events here.