TinyMCE Content Security Policy and allowed domains

Configuring Content Security Policy (CSP) for TinyMCE

TinyMCE can be used with a CSP header. When using a CSP, the following directives are required for TinyMCE to function:

Policy directives Reason

Policy directives	Reason
`script-src 'self' .tinymce.com .tiny.cloud;`	Scripts are sometimes loaded as script element with an src attribute.
`connect-src 'self' .tinymce.com .tiny.cloud blob:;`	XMLHttpRequest is required by some services such as spellchecking and PowerPaste.
`img-src 'self' .tinymce.com .tiny.cloud data: blob:;`	Images within the editor are sometimes base64 encoded, blob URLs, or proxied through the Tiny Cloud service.
`style-src 'self' 'unsafe-inline' .tinymce.com .tiny.cloud;`	Styles are used for inline formatting (such as underline, font colors, etc.) and the positioning of user interface elements.
`font-src 'self' .tinymce.com .tiny.cloud;`	Fonts are used for icons in the UI and is loaded from external files.

script-src 'self' *.tinymce.com *.tiny.cloud;

Scripts are sometimes loaded as script element with an src attribute.

connect-src 'self' *.tinymce.com *.tiny.cloud blob:;

XMLHttpRequest is required by some services such as spellchecking and PowerPaste.

img-src 'self' *.tinymce.com *.tiny.cloud data: blob:;

Images within the editor are sometimes base64 encoded, blob URLs, or proxied through the Tiny Cloud service.

style-src 'self' 'unsafe-inline' *.tinymce.com *.tiny.cloud;

Styles are used for inline formatting (such as underline, font colors, etc.) and the positioning of user interface elements.

font-src 'self' *.tinymce.com *.tiny.cloud;

Fonts are used for icons in the UI and is loaded from external files.

There is a hardened approach to CSP, commonly known as strict CSP. A strict CSP:

uses a nonce for all <script> elements;
regenerates each nonce on every page load;
refactors inline event handlers such that they are added from a JavaScript block; and
does not allow the unsafe-inline value in any directive.

However, TinyMCE currently requires the unsafe-inline value in the style-src directive to present content other than plain-text.

As a consequence, running TinyMCE from within a strict CSP configuration is not currently supported.

Also, the required directives documented above prevent any content loading from external sources. To allow content from specific sources, add the source domains to the relevant directives. For example, to allow YouTube videos:

media-src 'self' *.youtube.com;

To allow content from any source, use the (*) wildcard. Allowing all sources (using *) negates the security policy for the source type. For example:

media-src *;

For information on Content Security Policies, see: MDN Web Docs - Content Security Policy (CSP).

When using the Tiny Cloud, use this CSP header:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'none'; script-src 'self' *.tinymce.com *.tiny.cloud; connect-src 'self' *.tinymce.com *.tiny.cloud blob:; img-src 'self' *.tinymce.com *.tiny.cloud data: blob:; style-src 'self' 'unsafe-inline' *.tinymce.com *.tiny.cloud; font-src 'self' *.tinymce.com *.tiny.cloud;"
>

When self-hosting TinyMCE from a local domain, use this CSP header (excludes the *.tiny.cloud domain):

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'none'; script-src 'self'; connect-src 'self' blob:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self';"
>

Firewall and proxy allowlisting

Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist Tiny Cloud domains. TinyMCE cloud-hosted features require the browser to make outbound HTTPS requests to these domains; no inbound access from Tiny Cloud is required.

Required domains

Allowlist the following wildcard domain to cover all Tiny Cloud services:

*.tiny.cloud

This single entry covers all cloud-hosted services, including but not limited to:

Editor loading and plugin delivery (cdn.tiny.cloud)
TinyMCE AI (tinymceai.api.tiny.cloud)
Import from Word (importdocx.api.tiny.cloud)
Export to Word (exportdocx.api.tiny.cloud)
Export to PDF (exportpdf.api.tiny.cloud)
Image proxy (imageproxy.tiny.cloud)
Link checking (hyperlinking.tiny.cloud)
Spell checking (spelling.tiny.cloud)

Self-hosted deployments that do not connect to any Tiny Cloud services do not require this allowlisting. For self-hosted services such as on-premises document converters or AI, allowlist the domain where the self-hosted service is running instead.

Required HTTP headers

Ensure the proxy retains (does not strip) the following HTTP headers on requests to *.tiny.cloud domains:

tiny-api-key
tinymce-api-key

These headers are required for API key validation and service authentication.

`content_security_policy`

This option allows a custom content security policy to be set for the editor’s iframe contents.

Type: String

Example: using `content_security_policy`

tinymce.init({
  selector: 'textarea',  // change this value according to your HTML
  content_security_policy: "default-src 'self'"
});