Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document compatibility with CSP #4585

Open
tdelmas opened this issue Feb 16, 2020 · 5 comments
Open

Document compatibility with CSP #4585

tdelmas opened this issue Feb 16, 2020 · 5 comments
Assignees
Labels
documentation written for humans feature something new P2 considered for next cycle

Comments

@tdelmas
Copy link

tdelmas commented Feb 16, 2020

Per #897 , plotly will not be 100% compatible with a strict Content Security Policy concerning script-src (i.e. without unsafe-efal).

But it's possible to use it with a strict policy, only some methods are not available: for example the basic bundle works with if we avoid Plotly.d3.csv (cf #897 (comment))

The documentation should highlight these limitation, because once a website starts using a method not compatible with a strong CSP, it will be really difficult to set-up that policy in the future, thus weakening the security of that website. People should be aware of that trade-off, and know which methods they can use to avoid that pitfall.

@tdelmas
Copy link
Author

tdelmas commented Feb 17, 2020

Related: d3/d3-dsv#67

@tdelmas
Copy link
Author

tdelmas commented Feb 19, 2020

Also the "download" feature require blob: for image-src

@AbdealiLoKo
Copy link

AbdealiLoKo commented May 13, 2020

Hi,
Wondering if there was any suggestions or workarounds on how to overcome these CSP related issues ?
We are facing the same issue and are blocked to move things to production due to it

We found:

  • There is a data: in some of the mapbox components
  • There is a data: usage in the "download image as png" feature

@mcobzarenco
Copy link

Same question as above -- unfortunately the way plotly insists of embedding charts seems pretty incompatible with CSP

@AbdealiLoKo
Copy link

Just documenting as I came across this recently again.
There is now a strict bundle which should be better CSP compliant in plotly 2.x - https://github.com/plotly/plotly.js/blob/v2.0.0/dist/README.md#plotlyjs-strict

The note from that readme is as follows:

The strict partial bundle includes everything except the traces that require function constructors. Over time we hope to include more of the remaining trace types here, after which we intend to work on other strict CSP issues such as inline CSS that we may not be able to include in the main bundle.

@gvwilson gvwilson added feature something new P2 considered for next cycle documentation written for humans labels Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation written for humans feature something new P2 considered for next cycle
Projects
None yet
Development

No branches or pull requests

5 participants