Skip to content

feat: Add option to add CSP to the replay iframe #1766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
KristianGrafana wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Add option to add CSP to the replay iframe #1766

KristianGrafana wants to merge 2 commits into from
+9 −2

Conversation

@KristianGrafana
Copy link

@KristianGrafana KristianGrafana commented Dec 2, 2025
edited
Loading

This PR adds support to add a Content-Security-Policy to the iframe. This is if users want to further tighten the security of the iframe by being able to block images, videos, objects, iframes and more.

Let me know if you have any questions!

Copilot AI review requested due to automatic review settings December 2, 2025 14:21
@changeset-bot
Copy link

changeset-bot bot commented Dec 2, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 4016cb3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to add Content Security Policy (CSP) support to the replay iframe to allow users to tighten security by blocking images, videos, objects, iframes, and other content types.

Key Changes:

  • Added optional csp configuration parameter to the playerConfig type
  • Implemented CSP application logic in the setupDom method of the Replayer class

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
packages/rrweb/src/types.ts Adds optional csp?: string property to playerConfig type definition
packages/rrweb/src/replay/index.ts Implements CSP application by setting the csp attribute on the replay iframe element

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@Juice10
Copy link
Member

Juice10 commented Jan 2, 2026

Hi @KristianGrafana, thanks for this addition. Since the csp attribute is lacking some major browser support it would be good to document this so people who use it don't get a false sense of security. And in general it would be good to document this feature in the Guide.md and rrweb-player readme files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KristianGrafana @Juice10