Document compatibility with CSP

[tdelmas]

Per #897 , plotly will not be 100% compatible with a strict Content Security Policy concerning script-src (i.e. without unsafe-efal).

But it's possible to use it with a strict policy, only some methods are not available: for example the basic bundle works with if we avoid Plotly.d3.csv (cf https://github.com/plotly/plotly.js/issues/897#issuecomment-586725814)

The documentation should highlight these limitation, because once a website starts using a method not compatible with a strong CSP, it will be really difficult to set-up that policy in the future, thus weakening the security of that website. People should be aware of that trade-off, and know which methods they can use to avoid that pitfall.

[tdelmas]

Related: https://github.com/d3/d3-dsv/pull/67

[tdelmas]

Also the "download" feature require blob: for image-src

[AbdealiLoKo]

Hi, Wondering if there was any suggestions or workarounds on how to overcome these CSP related issues ? We are facing the same issue and are blocked to move things to production due to it

We found:

• There is a data: in some of the mapbox components
• There is a data: usage in the "download image as png" feature

[mcobzarenco]

Same question as above -- unfortunately the way plotly insists of embedding charts seems pretty incompatible with CSP

[AbdealiLoKo]

Just documenting as I came across this recently again. There is now a strict bundle which should be better CSP compliant in plotly 2.x - https://github.com/plotly/plotly.js/blob/v2.0.0/dist/README.md#plotlyjs-strict

The note from that readme is as follows:

The strict partial bundle includes everything except the traces that require function constructors. Over time we hope to include more of the remaining trace types here, after which we intend to work on other strict CSP issues such as inline CSS that we may not be able to include in the main bundle.