Content Security Policy CSP configuration

[Tetradeus]

Hello,

I would like to know what is the best way to work with google charts and CSPs

The only configuration I was able to work with is the following :

script-src 'self' https://www.gstatic.com;
style-src 'self' https://www.gstatic.com;

I am worried about allowing any resource from gstatic domain...

On the contrary, maps has its own domain : maps.gstatic.com Couldn't you set up charts.gstatic.com instead of www.gstatic.com/charts/...

As an alternative, is there any way to avoid loading external script and style but just get them from a npm artifact ?

Thanks a lot for your help.

[dlaliberte]

I wasn't aware that there might be a benefit in using a unique subdomain of gstatic.com as opposed to only loading files under www.gstatic.com/charts/.... I believe it should be possible to provide Google Charts both ways (which we would probably need while migrating from one to the other), but I don't know when I will be able to get to that.

By an npm artifact, do you mean something packaged up and served via gstatic.com?

[Tetradeus]

I have been digging more and I found the solution here: https://stackoverflow.com/questions/33680150/does-the-content-security-policy-standard-support-wildcard-paths-if-not-why-do

So in fact path prefix filter could also work when ending with a slash. Here is the correct configuration :

script-src 'self' https://www.gstatic.com/charts/;
style-src 'self' https://www.gstatic.com/charts/;

So no hurry/need to migrate.

By an npm artifact, I meant a packaged version containing scripts and styles for gcharts instead of dynamic loading.

Thanks for your help.

[dlaliberte]

Good to know that you have a solution.

I'll look into alternative packaging mechanisms as well, but if you mean for downloading to use via other servers, that won't be possible until we start open sourcing the Google Charts code. We are getting closer to that, by the way. The first release will contain the core functionality for fetching data and constructing DataTables, formatting data columns, and some related tools. Things that can be used independent of charts.