literakl
commented
2 years ago By default, Chart.js injects CSS directly into the DOM. For webpages secured using Content Security Policy (CSP), this requires to allow style-src 'unsafe-inline' https://www.chartjs.org/docs/2.9.4/getting-started/integration.html
A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP