FinzelStefan
commented
4 years ago My trick of changing CSP was working but found no mercy in a secure environment. CSP is not allowed to be changed there.
As already mentioned it is sufficient to replace the content of attribute style by its attributes with the same name. CSP style-src 'self' is now sifficient.
Using classes instead has the same drawback. It too requires style-src 'self' 'unsafe-inline' to work in file or to create and load the classes from a separate css file.
RRDtool 1.7.2
SVG graphs are all times visible with CSP policy style-src 'self' 'unsafe-inline'.
Using strict Content Security Policy policy with style-src 'self' on a httpd server will cause any RRD SVG file loaded itself in a browser (Chrome, Edge, Firefox and Opera) not to be visible anymore.
SVG files may include style attributes. Inline style attributes require style-src 'self' 'unsafe-inline' to work. This is no issue as long as the SVG file is included in any html page itself. But a right mouse click to view the graph separatly will result in a page with not visible SVG.
To support strict CSP on httpd servers it is requested to avoid using inline style in SVG files at all. This is simple as any style can be replaced by using attributes, e.g.
a painfull: <path style="stroke:none;" d="... gets to <path stroke="none" d="...
Please note CSP is a matter of security and httpd configuration and should not be changed by applications itself. My current workaround is to change CSP to style-src 'self' 'unsafe-inline' for all SVG created by rrdtool