Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed CSP Strict Style Compatibility #6239

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fixed CSP Strict Style Compatibility #6239

wants to merge 3 commits into from

Conversation

shaurya-sisodia
Copy link

Fixes #2355 Plotly uses inline CSS

  • Only piece of code violating the CSP strict style rule is the addStyleRule function which is appending a dynamic stylesheet to the head. In all other cases, the plotly.js is setting up a dynamic style using CSP-compliant methods.
  • In the case of a CSP compliant build, we will create a static CSS stylesheet in a CSS file that applications can include on their end.
  • Providing switch in the build process to enable CSP strict style build and providing a path for static CSS stylesheet relative to dist folder.
  • Creating a static CSS file at command line provided path defaulting to build folder with name plot-csp.css

@shaurya-sisodia
Fixed CSP Strict Style Compatibility
21ef8ad 
Fixes plotly#2355 Plotly uses inline CSS

* Providing switch in build process to enable CSP strict style build
* Creating a static CSS file at command line provided path defaulting to build folder with name plot-csp.css
@shaurya-sisodia
fixing env variable in preprocess
f17c0f7
@alexcjohnson
Copy link
Collaborator

@shaurya-sisodia thanks for the investigation and the PR! It's great to know that only addStyleRule is problematic for strict CSP - from the earlier discussion I was worried that d3 selection.style was also a problem, which would have made this MUCH harder to resolve.

So given that, I wonder if we can just inline all the styles we need? There aren't that many, and you've already figured out one of the most annoying parts, the hover pseudo-selector. That would avoid having two separate builds (which is more to test & maintain) as well as requiring strict users to remember the stylesheet - easy to forget as it doesn't do all that much until you start interacting with the graph, and it seems like including an external stylesheet brings its own headaches in a strict CSP environment.

@shaurya-sisodia
Copy link
Author

Hi @alexcjohnson

Thanks for the reply.

If we do not want to go by two builds approach. We can instead use adoptedStyleSheets and 'replaceSync' to update styling in csp compliant way for the whole document. Rather than creating a static stylesheet for a special build.

For browers i.e. IE and Safari that don't support replaceSync we can update styles directly on the HTMLElements like we are doing for modebar's dynamic styles in current fix.

@sesa529917
Copy link

Lack of support for strict CSP support is a blocker for the organization I work for.
Our corporate security systems simply won't allow us to run with unsafe-inline.
This PR resolves the issue. Please consider merging it or implementing similar strict CSP support in the library.

@sesa529917 sesa529917 mentioned this pull request Mar 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: reviewable type: community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Plotly uses inline CSS
4 participants
@shaurya-sisodia @alexcjohnson @sesa529917 @archmoj