You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Per #897 , plotly will not be 100% compatible with a strict Content Security Policy concerning script-src (i.e. without unsafe-efal).
But it's possible to use it with a strict policy, only some methods are not available: for example the basic bundle works with if we avoid Plotly.d3.csv (cf #897 (comment))
The documentation should highlight these limitation, because once a website starts using a method not compatible with a strong CSP, it will be really difficult to set-up that policy in the future, thus weakening the security of that website. People should be aware of that trade-off, and know which methods they can use to avoid that pitfall.
The text was updated successfully, but these errors were encountered:
Hi,
Wondering if there was any suggestions or workarounds on how to overcome these CSP related issues ?
We are facing the same issue and are blocked to move things to production due to it
We found:
There is a data: in some of the mapbox components
There is a data: usage in the "download image as png" feature
The strict partial bundle includes everything except the traces that require function constructors. Over time we hope to include more of the remaining trace types here, after which we intend to work on other strict CSP issues such as inline CSS that we may not be able to include in the main bundle.
Per #897 , plotly will not be 100% compatible with a strict Content Security Policy concerning
script-src
(i.e. withoutunsafe-efal
).But it's possible to use it with a strict policy, only some methods are not available: for example the basic bundle works with if we avoid
Plotly.d3.csv
(cf #897 (comment))The documentation should highlight these limitation, because once a website starts using a method not compatible with a strong CSP, it will be really difficult to set-up that policy in the future, thus weakening the security of that website. People should be aware of that trade-off, and know which methods they can use to avoid that pitfall.
The text was updated successfully, but these errors were encountered: