Remove inline styles that break plots in strict CSP setups #7109
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support strict Content Security Policies that don't allow unsafe inline styles by:
addRelatedStyleRule
calls to fail without affecting functionality.addRelatedStyleRule
from running when the static CSS file is already included in the app to prevent superfluous errors in console output.Note: The
dist/plotly.css
file will need to be added to the release files.Possibly fixes #2355 Plotly uses inline CSS
This pull request is the result of reviewing and testing Pull Request #6239, which did not work properly when I tested it against the v2.34.0 release tag (the most recent release at the time of testing and over 2 years since that pull request was created). It also incorporate the comments within that pull request to improve on this one.
Expected Results
plotly.css
into the application in a way allowed by their CSP. A separate build is not required to get this fix.plotly.css
.addRelatedStyleRule
will also output a warning message: "Cannot addRelatedStyleRule, probably due to strict CSP..."<div id="plotly.js-style-global" class="no-inline-styles"></div>
This will cause the
addRelatedStyleRule
function to not attempt to add the inline styles.Testing
Testing this is a bit tricky to setup, but I do have an basic sandbox created that seems to demonstrate:
plotly-basic.js
file from the v2.34.0 release.plotly-basic.js
patched with this pull request.CSB has some special quirks, so the CSP was relaxed to allow things to work due to CSB specifics. However, it was not set up to permit unsafe inline styles nor does it contain the sha256 hash of styles inlined by Plotly.
See comments in the
ScatterChart.tsx
andindex.html
files.https://kl75h2.csb.app/
https://codesandbox.io/s/kl75h2
Followup Questions
deleteRelatedStyleRule
is no longer used anywhere else in the code. It was used by only inmodebar.js
before this change. Should that function be deleted?addStyleRule
is used in two places, both of which are accounted for in this pull request (insrc/registry.js
andbuild/plotcss.js
). How should we warn developers in the future who comes across this function? Add comments and/or rename it to something likeaddStyleRuleUnsafelyInline
?Limitations
I don't much experience with Plotly.js and have been using it only for a simple scatter chart (like the one in the CSB above). I don't have enough experience to understand if more changes are needed beyond my simple test case and the work done in Pull Request #6239. Hopefully this is still helpful to bring this library closer to supporting strict CSP's.