-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Forced to use 'unsafe-eval' and 'unsafe-inline' in CSP #1794
Comments
Related issues/PR: |
@shadydealer According to https://github.com/plotly/dash/blob/dev/CHANGELOG.md#230---2022-03-13 you can now avoid |
Hi - we are tidying up stale issues and PRs in Plotly's public repositories so that we can focus on things that are most important to our community. If this issue is still a concern, please add a comment letting us know what recent version of our software you've checked it with so that I can reopen it and add it to our backlog. (Please note that we will give priority to reports that include a short reproducible example.) If you'd like to submit a PR, we'd be happy to prioritize a review, and if it's a request for tech support, please post in our community forum. Thank you - @gvwilson |
Describe your context
python 3.8
Describe the bug
I'm trying to setup a dash with flask along with talisman like so:
But the following errors occur in Firefox 92.0:
And the only way I could get them to work is by setting the content security policy like so:
Note the 'unsafe-eval' in the script-src directive and the 'unsafe-inline' in the style-src directive.
However this is bad
The reason is that all of those files have either an
Python eval()
statement in them or, in the case of the stylesheets, are inserting style elements dynamically.Expected behavior
Should be able to define CSP without having to use 'unsafe-eval' and 'unsafe-inline'
The text was updated successfully, but these errors were encountered: