When using the Preview plugin, the browser console throws up a warning and an error, due to the plugin rendering the preview area in a sandboxed iFrame with same origin and script permissions (note that I am self-hosting TinyMCE):
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' localhost:* *.mywebsite.com *.stripe.com *.hcaptcha.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ccbHhlh0ggGPUGgxsrd3RaAKqX6TknPKMclaRo6bcUw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
There isn't any obvious documentation about how this should be handled. The Preview Plugin Docs don't contain any configuration items that might alter this behaviour or any warnings about it.
In addition, the TinyMCE and CSP page doesn't mention any need for the 'unsafe-inline' policy to be allowed on script-src.
The Content Security Policy on my website
default-src 'self' localhost:* *.mywebsite.com *.stripe.com *.hcaptcha.com; style-src *.mywebsite.com localhost:* 'unsafe-inline'; connect-src ws: *.mywebsite.com *.stripe.com; img-src localhost:* *.mywebsite.com *.stripe.com *.hcaptcha.com data: blob:;
The recommended policy from the TinyMCE and CSP page for self-hosting TinyMCE
default-src 'none'; script-src 'self'; connect-src 'self' blob:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self';
Unless I've overlooked something and something in my CSP is the problem here (which seems unlikely, given the iframe warning being thrown, and that it is only script-src that is giving the permissions error), I'm unsure as to how to use the Preview plugin in a way that doesn't enable security vulnerabilities.
I tested this with a TinyMCE editor using no other plugins, and without any content inside the editor, to check if either of those could be causing the issue, but the same errors occur.