Skip to content

[BUG] CSP not working as stated in documentation #2518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SnoozeFreddo opened this issue Apr 29, 2023 · 2 comments
Closed

[BUG] CSP not working as stated in documentation #2518

SnoozeFreddo opened this issue Apr 29, 2023 · 2 comments

Comments

@SnoozeFreddo
Copy link

SnoozeFreddo commented Apr 29, 2023
edited
Loading

Hi there,

i tried as mentioned here to add
csp = {"default-src": "'self'", "script-src": ["'self'"] + app.csp_hashes()}

https://dash.plotly.com/reference

to Talismans csp rule instead of none but it breaks the application. The log says

dash                 2.9.3
dash-bootstrap-components==1.4.1

image

The documentation also just adds the list to the string, which doesn't work

From the docs:

flask_talisman.Talisman(app.server, content_security_policy= { "default-src": "'self'", "script-src": "'self'" + app.csp_hashes() })

and even if i do define it

csp = {"default-src": "'self'", "style-src": ["'self'"] + app.csp_hashes(), "script-src": ["'self'"] + app.csp_hashes()} Talisman

It still tells me that

sh_renderer.v2_9_3m1682736561.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.

which is weird because i do pass a hash, but it tells me i didn't even tho it shows me i did.

I also tried to download the plotly-strict.js file and serve it under assets.

image

Adding each sha string to the csp config helps ofc, but if the components get updated it will break my code.
@nickmelnikov82
Copy link
Member

nickmelnikov82 commented Jun 2, 2023
edited
Loading

Hello! Perhaps this will help.
There is an error in the CSP format: In the first quoted code snippet, you use app.csp_hashes() to generate hashes, but then add this function to the "script-src" line: ["'self'"] + app.csp_hashes(). It looks like app.csp_hashes() is returning a list of hashes, but you're not unpacking it. Try changing this line to "script-src": ["'self'"] + [*app.csp_hashes()] to add the hashes to the list correctly.
I also advise you to look at the solution to a similar problem

@gvwilson
Copy link
Contributor

Hi - we are tidying up stale issues and PRs in Plotly's public repositories so that we can focus on things that are most important to our community. If this issue is still a concern, please add a comment letting us know what recent version of our software you've checked it with so that I can reopen it and add it to our backlog. (Please note that we will give priority to reports that include a short reproducible example.) If you'd like to submit a PR, we'd be happy to prioritize a review, and if it's a request for tech support, please post in our community forum. Thank you - @gvwilson

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gvwilson @nickmelnikov82 @SnoozeFreddo