Added configuration options description.

ckeditor · Mar 22, 2023 · e205391 · e205391
1 parent 64d9411
commit e205391
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 0 deletions.
diff --git a/plugins/embed/plugin.js b/plugins/embed/plugin.js
@@ -98,6 +98,19 @@
 
 } )();
 
+/**
+ * Decides if the content inside the Media Embed widget should be left as-is, without filtering (default behavior
+ * of the Embed plugin before v4.21). Since v4.21 the Media Embed widget content is regenerated
+ * every time when initializing the widget.
+ *
+ * **NOTE:** It's not recommended to enable this option. Accepting any content inside the embed plugin may open
+ * your application to security vulnerabilities. If, for some reason, you need to enable it, make sure to properly
+ * configure [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) on your web page.
+ *
+ * @since 4.21.0
+ * @cfg {Boolean} [embed_keepOriginalContent=false]
+ * @member CKEDITOR.config
+ */
 CKEDITOR.config.embed_keepOriginalContent = false;
 
 /**

diff --git a/plugins/iframe/plugin.js b/plugins/iframe/plugin.js
@@ -101,4 +101,42 @@
 	} );
 } )();
 
+/**
+ * Indicates the default iframe attributes.
+ *
+ * Starting from v4.21, iframe elements are sandboxed to secure web pages without proper
+ * [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) configuration.
+ *
+ * **NOTE:** Disabling that option may open your application to security vulnerabilities.
+ * If, for some reason, you need to enable it, make sure to properly
+ * configure [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+ * on your web page or use function-based configuration to allow trusted iframe elements only.
+ *
+ * Function-based configuration example:
+ *
+ * ```javascript
+ * CKEDITOR.config.iframe_attributes = function( iframe ) {
+ *     var youtubeOrigin = 'https://www.youtube.com'
+ *
+ *     if ( youtubeOrigin.indexOf( iframe.attributes.src ) !== -1 ) {
+ *         return { sandbox: "allow-scripts allow-same-origin" }
+ *     }
+ *
+ *     return: { sandbox: "" };
+ * }
+ * ```
+ *
+ * Object-based configuration example:
+ *
+ * ```javascript
+ * CKEDITOR.config.iframe_attributes = {
+ *     sandbox: 'allow-scripts allow-same-origin',
+ *     allow: 'autoplay'
+ * }
+ * ```
+ *
+ * @since 4.21.0
+ * @cfg {Function/Object} [iframe_attributes = { sandbox: '' }]
+ * @member CKEDITOR.config
+ */
 CKEDITOR.config.iframe_attributes = { sandbox: '' };