search

frappe / charts

Simple, responsive, modern SVG Charts with zero dependencies
https://frappe.io/charts
MIT License
14.9k stars 716 forks source link

CSP support #378

Open archfz opened 2 years ago

archfz commented 2 years ago

Expected Behaviour

The most useful CSP rule for style is to disallow inline styles. This should work correctly with frappe charts.

Actual Behaviour

Styles are blocked and frappe charts is not working correctly.

Steps to Reproduce:

  1. Use frappe charts.
  2. Configure CSP and do not allow unsafe-inline: 
    <meta http-equiv="Content-Security-Policy" content="style-src 'self' *.mydomain.ro mydomain.ro 'nonce-BnP58e96vet5BG2gurtvnauzi1PdyH7u'">

    image

Frappé Charts version: 1.6.2

scmmishra commented 2 years ago

I don't have the bandwidth to take this up at the moment, if you could raise a PR fixing this, I'll be happy to review it

DoodlesEpic commented 2 years ago

Just a note for anyone passing by: If you cannot use 'unsafe-inline' because you have at least one hash on the style-src directive, then you have to add 'unsafe-hashes' to the style-src directive and hardcode the hashes that Chromium dev tools give you to the style-src directive. Really not ideal but better than having to disable it completely. You could also do this instead of adding 'unsafe-inline' as I believe it better makes use of the csp.