csp blocks plotly on staging release

[id2359]

dash/plotly gets blocked by our security settings in prod ( on staging build):

viz for 6.6.37:

patients:239 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-C1os+RYAmOlAWr0Ai0qZjA=='". Either the 'unsafe-inline' keyword, a hash ('sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg='), or a nonce ('nonce-...') is required to enable inline execution.

patients:246 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-C1os+RYAmOlAWr0Ai0qZjA=='". Either the 'unsafe-inline' keyword, a hash ('sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY='), or a nonce ('nonce-...') is required to enable inline execution.

rdrf.ccgapps.com.au/:9 Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

10Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:31 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='), or a nonce ('nonce-...') is required to enable inline execution.

rdrf.ccgapps.com.au/:1 Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

DevTools failed to load source map: Could not load content for https://rdrf.ccgapps.com.au/cicclinical/static/js/vendor/underscore-min.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

[id2359]

https://github.com/plotly/dash/issues/1794

[id2359]

A comment on the above ticket suggests this can be fixed by using the "strict" plotly js bundle:

https://github.com/plotly/dash/blob/dev/CHANGELOG.md#230---2022-03-13

[id2359]

comment there says:

Updated https://github.com/plotly/dash/pull/2016, https://github.com/plotly/dash/pull/2032, and https://github.com/plotly/dash/pull/2042 Widespread dependency upgrades Upgrade Plotly.js to v2.12.1 (from v2.11.0). Feature release 2.12.0 adds minor ticks and gridlines, as well as dashed gridlines. Patch release 2.11.1 fixes regl-based traces in strict CSP mode, however you must manually switch to the strict bundle to use this. Patch release 2.12.1 fixes several bugs. Upgrade black to v22.3.0 for Python 3.7+ - if you use dash[ci] and you call black, this may alter your code formatting slightly, including more consistently breaking Python 2 compatibility. Many other mainly JS dependency upgrades to the internals of Dash renderer and components. These may patch bugs or improve performance.

[id2359]

The question is whether we can switch to this ,or is django-ploty-dash specifying it? Don't know at this stage.

[id2359]

maybe able to do this?

https://stackoverflow.com/questions/35014990/because-it-violates-the-following-content-security-policy-directive-style-src

[id2359]

Switched on CSP back again on staging just now to check

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-jux+iLD9uLzl/Rx7/Ph2/w=='". Either the 'unsafe-inline' keyword, a hash ('sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg='), or a nonce ('nonce-...') is required to enable inline execution.

patients:246 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-jux+iLD9uLzl/Rx7/Ph2/w=='". Either the 'unsafe-inline' keyword, a hash ('sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY='), or a nonce ('nonce-...') is required to enable inline execution.

rdrf.ccgapps.com.au/:1 Failed to load resource: the server responded with a status of 500 () DevTools failed to load source map: Could not load content for https://rdrf.ccgapps.com.au/cicclinical/static/js/vendor/underscore-min.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

[id2359]

The 1st inline style in question is:

 <br>Time taken: 1.193978 seconds</br>
    <div style="
    position: relative;
    padding-bottom: 50.0%;
    height: 0;
    overflow:hidden;

[id2359]

2nd inline style is the embedded iframe inline style

<iframe src="/cicclinical/dash/app/App/" style="
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    " frameborder="0" sandbox="allow-downloads allow-scripts allow-same-origin"></iframe>

[id2359]

Third error is

Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

10Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/@babel/polyfill@7.12.1/dist/polyfill.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/react@16.14.0/umd/react.production.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/react-dom@16.14.0/umd/react-dom.production.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/prop-types@15.8.1/prop-types.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-bootstrap-components@0.13.1/dist/dash_bootstrap_components.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-renderer@1.14.2/build/dash_renderer.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components-shared.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-html-components@2.0.5/dash_html_components/dash_html_components.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-table@5.1.6/dash_table/bundle.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[id2359]

4th:

Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

errors on this page
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
      <meta charset="UTF-8">
      <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Dash</title>

        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    </head>
    <body>

<div id="react-entry-point">
  <div class="_dash-loading">
    Loading...
  </div>
</div>

        <footer>
            <script id="_dash-config" type="application/json">{"url_base_pathname":"/cicclinical/dash/app/App/","requests_pathname_prefix":"/cicclinical/dash/app/App/","ui":false,"props_check":false,"show_undo_redo":false,"suppress_callback_exceptions":false,"update_title":"Updating...","children_props":{"dash_core_components":{"Checklist":["options[].label"],"Clipboard":[],"ConfirmDialog":[],"ConfirmDialogProvider":[],"DatePickerRange":[],"DatePickerSingle":[],"Download":[],"Dropdown":["options[].label"],"Graph":[],"Input":[],"Interval":[],"Link":[],"Loading":[],"Location":[],"LogoutButton":[],"Markdown":[],"RadioItems":["options[].label"],"RangeSlider":[],"Slider":[],"Store":[],"Tab":[],"Tabs":[],"Textarea":[],"Tooltip":[],"Upload":[]},"dash_html_components":{"A":[],"Abbr":[],"Acronym":[],"Address":[],"Area":[],"Article":[],"Aside":[],"Audio":[],"B":[],"Base":[],"Basefont":[],"Bdi":[],"Bdo":[],"Big":[],"Blink":[],"Blockquote":[],"Br":[],"Button":[],"Canvas":[],"Caption":[],"Center":[],"Cite":[],"Code":[],"Col":[],"Colgroup":[],"Content":[],"Data":[],"Datalist":[],"Dd":[],"Del":[],"Details":[],"Dfn":[],"Dialog":[],"Div":[],"Dl":[],"Dt":[],"Em":[],"Embed":[],"Fieldset":[],"Figcaption":[],"Figure":[],"Font":[],"Footer":[],"Form":[],"Frame":[],"Frameset":[],"H1":[],"H2":[],"H3":[],"H4":[],"H5":[],"H6":[],"Header":[],"Hgroup":[],"Hr":[],"I":[],"Iframe":[],"Img":[],"Ins":[],"Kbd":[],"Keygen":[],"Label":[],"Legend":[],"Li":[],"Link":[],"Main":[],"MapEl":[],"Mark":[],"Marquee":[],"Meta":[],"Meter":[],"Nav":[],"Nobr":[],"Noscript":[],"ObjectEl":[],"Ol":[],"Optgroup":[],"Option":[],"Output":[],"P":[],"Param":[],"Picture":[],"Plaintext":[],"Pre":[],"Progress":[],"Q":[],"Rb":[],"Rp":[],"Rt":[],"Rtc":[],"Ruby":[],"S":[],"Samp":[],"Script":[],"Section":[],"Select":[],"Shadow":[],"Slot":[],"Small":[],"Source":[],"Spacer":[],"Span":[],"Strike":[],"Strong":[],"Sub":[],"Summary":[],"Sup":[],"Table":[],"Tbody":[],"Td":[],"Template":[],"Textarea":[],"Tfoot":[],"Th":[],"Thead":[],"Time":[],"Title":[],"Tr":[],"Track":[],"U":[],"Ul":[],"Var":[],"Video":[],"Wbr":[],"Xmp":[]},"dash_table":{"DataTable":[]},"dash_bootstrap_components":{"Alert":null,"Badge":null,"Button":null,"ButtonGroup":null,"Carousel":null,"Collapse":null,"Fade":null,"Jumbotron":null,"Label":null,"Progress":null,"Spinner":null,"Table":null,"Toast":null,"Tooltip":null,"Card":null,"CardBody":null,"CardColumns":null,"CardDeck":null,"CardFooter":null,"CardGroup":null,"CardHeader":null,"CardImg":null,"CardImgOverlay":null,"CardLink":null,"DropdownMenu":null,"DropdownMenuItem":null,"Form":null,"FormFeedback":null,"FormGroup":null,"FormText":null,"Checkbox":null,"Checklist":null,"Input":null,"InputGroup":null,"InputGroupAddon":null,"InputGroupText":null,"RadioButton":null,"RadioItems":null,"Select":null,"Textarea":null,"Col":null,"Container":null,"Row":null,"ListGroup":null,"ListGroupItem":null,"ListGroupItemHeading":null,"ListGroupItemText":null,"Modal":null,"ModalBody":null,"ModalFooter":null,"ModalHeader":null,"Nav":null,"NavItem":null,"NavLink":null,"Navbar":null,"NavbarBrand":null,"NavbarSimple":null,"NavbarToggler":null,"Popover":null,"PopoverBody":null,"PopoverHeader":null,"Tab":null,"Tabs":null}}}</script>
            <script src="https://unpkg.com/@babel/polyfill@7.12.1/dist/polyfill.min.js"></script>
<script src="https://unpkg.com/react@16.14.0/umd/react.production.min.js"></script>
<script src="https://unpkg.com/react-dom@16.14.0/umd/react-dom.production.min.js"></script>
<script src="https://unpkg.com/prop-types@15.8.1/prop-types.min.js"></script>
<script src="https://unpkg.com/dash-bootstrap-components@0.13.1/dist/dash_bootstrap_components.min.js"></script>
<script src="https://unpkg.com/dash-renderer@1.14.2/build/dash_renderer.min.js"></script>
<script src="https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components.js"></script>
<script src="https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components-shared.js"></script>
<script src="https://unpkg.com/dash-html-components@2.0.5/dash_html_components/dash_html_components.min.js"></script>
<script src="https://unpkg.com/dash-table@5.1.6/dash_table/bundle.js"></script>
            <script id="_dash-renderer" type="application/javascript">var renderer = new DashRenderer();</script>
        </footer>
    </body>
</html>

[id2359]

5th same page above:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='), or a nonce ('nonce-...') is required to enable inline execution.

[id2359]

Looking at the network tab in the dev tools

The following urls get blocked by CSP

https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css https://unpkg.com/@babel/polyfill@7.12.1/dist/polyfill.min.js https://unpkg.com/react@16.14.0/umd/react.production.min.js https://unpkg.com/react-dom@16.14.0/umd/react-dom.production.min.js https://unpkg.com/prop-types@15.8.1/prop-types.min.js https://unpkg.com/dash-bootstrap-components@0.13.1/dist/dash_bootstrap_components.min.js https://unpkg.com/dash-renderer@1.14.2/build/dash_renderer.min.js https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components.js https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components-shared.js https://unpkg.com/dash-html-components@2.0.5/dash_html_components/dash_html_components.min.js https://unpkg.com/dash-table@5.1.6/dash_table/bundle.js

[id2359]

We're already adding sha's in our settings.py so will do the same

[id2359]

I added the CDNs to settings but still see the following:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

dash_renderer.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

t.exports @ dash_renderer.min.js:2
input.css?4f77:23 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

rn.insert @ input.css?4f77:23
logout.css?d957:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

$n.insert @ logout.css?d957:25
react-select@1.0.0-rc.3.min.css?908f:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

cr.insert @ react-select@1.0.0-rc.3.min.css?908f:25
_datepicker.css?6084:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

ro.insert @ _datepicker.css?6084:25
react-dates@20.1.0-fix.css?ebb9:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

ao.insert @ react-dates@20.1.0-fix.css?ebb9:25
dash_renderer.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.

t.exports @ dash_renderer.min.js:2
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-sRHUAGt9ONGMkVZY2UJpeiT970IWYM4AxNpdEpA4eVM='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-H0FnToUY2QAEbiVZj6MU+9AFUyO6VbXPIOIYtImS2+E='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ABAc/jP5jh9nYJA7dYY8KPn0WqF3usdABF0UiJapWTE='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-qlaSExM3UfafWRGtQM+djrxS6Hb+PJ7vCyWVeRtS3Ks='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-fi04yeslikPhs9Ak7XcrUns+Fv5eu7dctbXYyNUoPKc='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
localhost/:31 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y=' 'sha256-hrJUUQGqwvUn6vHiNbJvnKMvoNUImDZW4BWYS1+DveE=' 'sha256-zd5y/MAtmfhfwgK8yvn/mFUcFE7BXp6UcAv3jnE5zZw=' 'sha256-ehPVrgdV2GwJCE7DAMSg8aCgaSH3TZmA66nZZv8XrTg=' 'sha256-hrJUUQGqwvUn6vHiNbJvnKMvoNUImDZW4BWYS1+DveE=' unpkg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='), or a nonce ('nonce-...') is required to enable inline execution.

[id2359]

https://github.com/plotly/dash/pull/1371

This allows inline script hashes to be calculated of the dash app

But Django dash is a wrapper , so need to figure out how to call it , or subclass the code