Add referrerPolicy to image loading through asset manager
As already replied to the PR, this can be done by extending the image component if necessary, without the risk of breaking the integration for others. And as a note, when you want to add a feature, you should always think about how this will work for others. So, if the referrerPolicy thing offers more options, it prob...
Read full answer below ↓Question
What are you trying to add to GrapesJS?
I'm trying to add the Referer header to image loading through asset manager.
Describe your feature request detailed
I'm working on a pagebuilder that's hosted on AWS. To stop people hotlinking my images, I've implemented AWS WAF which restricts image loading to the referer domain (my own domains).
When loading an image programmatically using .src there is no referer header being sent resulting in broken/non displayable images (403 errors from the webserver). We can solve this problem by setting the referrerPolicy attribute to origin. More details about this can be found here: https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement/referrerPolicy
Is there an alternative at the latest version?
- Yes (descripe the alternative)
- No
Is this related to an issue?
- Yes (Give a link to the issue)
- No
Answers (4)
As already replied to the PR, this can be done by extending the image component if necessary, without the risk of breaking the integration for others.
And as a note, when you want to add a feature, you should always think about how this will work for others. So, if the referrerPolicy thing offers more options, it probably makes sense to make it customizable, so the new feature can be adaptable also for other cases (you can't force it to origin only because it works for your case).
Thank you very much for the tipp @artf - I'll try to get this done by extending the original component. Have a great day! 😃
For everyone who has the same problem that the iframe doesn't send referrer headers for content displayed inside of it, here's a quick and dirty fix.
Just set the Canvas iFrame src to your desired domain that you want to use the referrer with. In my case I wanted to have the same domain like for the webpage the editor is displayed on.
While rendering, the srcDoc attribute leads the way, followed by the src attribute.
Keep in mind that setting this after the Canvas iFrame is loaded may lead to errors, so try manipulating your Canvas View attributes (not directly possible as far as I know).
Thanks for reporting this, @tomhatzer.
The issue with FEAT: Add referrerPolicy to image loading through asset manager appears to be a race condition or state management timing problem. This typically happens when component lifecycle events and DOM modifications overlap, creating an inconsistent state.
What to try:
- Add a setTimeout wrapper to ensure the DOM has settled:
setTimeout(() => {
// your operation here
}, 0);
-
Check initialization order — make sure components are fully loaded before you interact with them
-
Use the editor's event system — listen to completion events:
editor.on('component:mount', (component) => {
// safe to interact with component here
});
Recommended next steps:
- Test with the latest GrapesJS version if you haven't
- Provide a minimal reproducible example (CodeSandbox) — this helps the team identify the root cause faster
- Include GrapesJS version, browser, and console errors in your report
Related Questions and Answers
Continue research with similar issue discussions.
Issue #3561
FEAT: Enhanced Shadow DOM Support
What are you trying to add to GrapesJS? Better Shadow DOM support, allowing developers to render GrapesJS inside a Shadow element without h...
Issue #6416
htmlentities > breaking remote storage - Displays undefined
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Firefox and Chrome Reproducible demo link...
Issue #5312
Issue with rich text editor Indent action for Lists
GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome V115Reproducible demo link https://js...
Issue #4385
index.d.ts says that run commands should return void but docs say their return value may be used
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Any Reproducible demo link https://grapesj...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins →Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.
Browse premium plugins →Related tutorials
In-depth guides on the same topic.
Tutorial
How to Build a Production GrapesJS Editor: The Complete Walkthrough of Brief, Preset, Plugins, and Services
A complete walkthrough of building a production GrapesJS editor: how to choose a preset, pick plugins, and scope setup services without burning a sprint.
Tutorial
GrapesJS Inline RTE Plugins Update: CKEditor 5 v0.1.4 and Froala Inline Text Editor
CKEditor 5 Inline for GrapesJS v0.1.4 fixes Studio SDK toolbar clipping, iframe injection and link balloon bugs. Compare with Froala Inline — both $69.
Tutorial
Embed GrapesJS in Your SaaS: A Weekend Guide
Embed GrapesJS in your SaaS and ship a white-label page builder over a weekend. Honest tradeoffs, real code, and the plugins that close the UX gap.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.