No description
Find a file
Mime Čuvalo 6ba3fb0722
csp: followup fixes/dx/tweaks (#4159)
couple interesting things here as followups to the CSP work.
- first of all, again, good call on doing the report-only to start with
@SomeHats 🤘
- I combed through all the Sentry logs, looking for issues. a lot of
them were browser extensions and could be ignored.
- there were some other ones that needed fixing up though.

fixes in this PR:
- [x] CSP emulation in dev: make sure it's running in development so
that we can catch things locally. this is done via the meta tag.
- [x] `connect-src` add `blob`: this was breaking copy/export as svg/png
- [x] image testing: expand list of pasted image extensions to include
avif and some others
- [x] image pasting: this didn't really work in the first place because
typically even with CSP disabled, you'll mainly run into CORS issues. I
think it's a pretty crap user experience. So, I moved this logic to
actually be in the URL unfurling. Lemme know what you think! I don't
think we should proxy the actual image data - that sounds ... intense 😬
even though it would produce a better user experience technically.
- [x] investigated `manifest-src` errors: but it actually seems fine?
Weird thing here is that `manifest-src` isn't explicitly in the CSP so
it falls back to the `default-src` of `self` which is fine. Trying it on
tldraw.com it seems just fine with no errors but inexplicably some users
are hitting these errors. I'm guessing maybe it's an ad-blocker type
behavior maybe.
- [x] `font-src` add `data`: I'm actually unsure if this is quite
necessary but I _think_ embedded fonts in SVGs are causing the problem.
However, I can't reproduce this, I just don't mind adding this.


Before / After for pasting image URLs (not a CSP issue, to be clear, but
a CORS issue)

## Before
<img width="448" alt="Screenshot 2024-07-12 at 17 59 42"
src="https://github.com/user-attachments/assets/e8ce267b-48fd-49cd-b0f7-0fd20c0b9a1d">

## After
<img width="461" alt="Screenshot 2024-07-12 at 18 00 06"
src="https://github.com/user-attachments/assets/9956590d-fe37-4708-bc26-0c454f8151b4">

### Change type

- [ ] `bugfix`
- [ ] `improvement`
- [ ] `feature`
- [ ] `api`
- [x] `other`

### Release notes

- Security: more CSP work on dotcom
2024-07-16 14:20:38 +00:00
.github publish bemo canaries (#4175) 2024-07-15 16:08:42 +00:00
.husky Don't check api.json files into git (#3565) 2024-04-24 15:58:26 +00:00
.yarn/patches Fix markdown list rendering on docs site (#3813) 2024-05-23 13:00:22 +00:00
apps csp: followup fixes/dx/tweaks (#4159) 2024-07-16 14:20:38 +00:00
assets serve icons via a single merged .svg file (#4150) 2024-07-15 11:03:11 +00:00
config sdk: wires up tldraw to have licensing mechanisms (#4021) 2024-07-11 11:49:18 +00:00
packages csp: followup fixes/dx/tweaks (#4159) 2024-07-16 14:20:38 +00:00
scripts Fix watermark imports in published packages (#4180) 2024-07-16 10:41:55 +00:00
templates Bump the npm_and_yarn group across 3 directories with 4 updates (#3920) 2024-06-11 13:33:44 +00:00
.dockerignore unbrivate, dot com in (#2475) 2024-01-16 14:38:05 +00:00
.eslintignore put sync stuff in bemo worker (#4060) 2024-07-03 14:10:54 +00:00
.eslintplugin.js transfer-out: transfer out 2023-04-25 12:01:25 +01:00
.eslintrc.js Better generated docs for react components (#3930) 2024-06-13 13:09:27 +00:00
.gitignore check worker bundle sizes (#4032) 2024-06-27 13:48:17 +00:00
.ignore put sync stuff in bemo worker (#4060) 2024-07-03 14:10:54 +00:00
.prettierignore put sync stuff in bemo worker (#4060) 2024-07-03 14:10:54 +00:00
.prettierrc Unbiome (#2776) 2024-02-07 16:02:22 +00:00
.yarnrc.yml [dx] Allow vscode to search inside md files by default (#3105) 2024-03-11 14:08:04 +00:00
CHANGELOG.md Update CHANGELOG.md [skip ci] 2024-06-25 13:27:57 +00:00
CLA.md Change licenses to tldraw (#2167) 2023-12-19 10:41:01 +00:00
CODE_OF_CONDUCT.md transfer-out: transfer out 2023-04-25 12:01:25 +01:00
CONTRIBUTING.md dev: swap yarn test and test-dev for better dx (#2773) 2024-02-14 16:05:59 +00:00
lazy.config.ts Don't check api.json files into git (#3565) 2024-04-24 15:58:26 +00:00
lerna.json sdk: wires up tldraw to have licensing mechanisms (#4021) 2024-07-11 11:49:18 +00:00
LICENSE.md Change licenses to tldraw (#2167) 2023-12-19 10:41:01 +00:00
package.json [3/5] Automatically enable multiplayer UI when using demo sync (#4119) 2024-07-10 15:46:09 +00:00
README.md Update README.md (#3818) 2024-05-23 09:27:40 +00:00
RELEASES.md css more shapes that need transparent behavior (#3497) 2024-04-16 15:19:30 +00:00
TRADEMARKS.md Change licenses to tldraw (#2167) 2023-12-19 10:41:01 +00:00
tsdoc.json Better generated docs for react components (#3930) 2024-06-13 13:09:27 +00:00
yarn.config.cjs Bump Yarn to 4.0.2 and add version constraints (#2481) 2024-01-18 11:09:17 +00:00
yarn.lock Split @tldraw/state into @tldraw/state and @tldraw/state-react (#4170) 2024-07-15 11:18:59 +00:00

tldraw

Welcome to the public monorepo for tldraw. tldraw is a library for creating infinite canvas experiences in React. It's the software behind the digital whiteboard tldraw.com.

🤵 Interested in purchasing a commercial license for the tldraw SDK? Fill out this form.

Installation

npm i tldraw

Usage

import { Tldraw } from 'tldraw'
import 'tldraw/tldraw.css'

export default function App() {
	return (
		<div style={{ position: 'fixed', inset: 0 }}>
			<Tldraw />
		</div>
	)
}

Learn more at tldraw.dev.

Local development

The local development server will run our examples app. The basic example will show any changes you've made to the codebase.

To run the local development server, first clone this repo.

Enable corepack to make sure you have the right version of yarn:

corepack enable

Install dependencies:

yarn

Start the local development server:

yarn dev

Open the example project at localhost:5420.

License

The tldraw source code and its distributions are provided under the tldraw license. This license does not permit commercial use. To purchase a commercial license or learn more, please fill out this form.

Trademarks

Copyright (c) 2023-present tldraw Inc. The tldraw name and logo are trademarks of tldraw. Please see our trademark guidelines for info on acceptable usage.

Contact

Find us on Twitter/X at @tldraw.

Community

Have questions, comments or feedback? Join our discord or start a discussion. For the latest news and release notes, check out our Substack.

Contribution

Please see our contributing guide. Found a bug? Please submit an issue.

Contributors

Star History

Star History Chart