Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork2k
Remove inline styles that break plots in strict CSP setups#7109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Support strict Content Security Policies that don't allow unsafe inlinestyles by:* Removing add/deleteRelatedStyleRule from modebar and use event listeners to emulate the on hover behavior by setting style properties directly on the element, which is allowed in strict CSP environments.* Output the main/library-wide CSS rules that are inlined when the library loads into a static CSS file so that users can include it within their applications in an acceptable manner. This allows `addRelatedStyleRule` calls to fail without affecting functionality.* Provide a way to prevent `addRelatedStyleRule` from running when the static CSS file is already included in the app to prevent superfluous errors in console output.* Replace inline styles from "newplotlylogo" with attribute to set the fill color directly on the elements.Note: The `dist/plotly.css` file will need to be added to the releasefiles.Fixesplotly#2355 Plotly uses inline CSS
birkskyum commentedSep 13, 2024
@martian111 , are you able to rebase this? I'm interested in knowing how the maplibre-gl.css fares in your CSP setup. The mapbox gl css issues you resolve here will if not earlier likely be resolve at the time of v3 with the removal of thedeprecated mapbox traces. |
archmoj commentedSep 16, 2024
@martian111 Please fetch |
martian111 commentedSep 19, 2024
Yes, I'll try to rebase or merge from master when I get some time after work (possibly in the weekend). |
Fixed unit tests by updating the expectations as appropriate to matchthe changed logic in Pull Requestplotly#7109. This revealed a bug wherebackground color changes applied using `Plotly.relayout()` were missed.This bug was also fixed in this change in order to get all unit tests,as updated, to pass.
martian111 commentedOct 20, 2024
@birkskyum,@archmoj, sorry for the delay getting back to this. Per your request, I've merged @birkskyum , I haven't used Plotly enough to understand the impact of mapbox vs maplibre. I did retest everything after the merge and fixes using my simple scatter chart example in the CodeSandbox referenced above. Also, as an aside, I did find another feature of Plotly that does not work with strict CSP: Using Thanks! |
archmoj commentedOct 20, 2024
Thanks for the updates. |
archmoj commentedOct 20, 2024
I think npm run strict instead of npm start Thank you! |
birkskyum commentedOct 20, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Yes, maplibre appears to be alright, it's only the mapbox traces that are affected by this PR. |
archmoj commentedOct 20, 2024
Thanks@birkskyum for testing. This PR is looking good in my eyes. |
martian111 commentedOct 20, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Thanks@archmoj and@birkskyum ! I am a bit confused on what you mean by "only the mapbox traces that are affected by this PR". Based on what I understand, the bulk of the changes impact the Modebar, which seems to be applicable to all (or most) Plotly trace types and not only the map trace types listed inMigrate to Maplibre in JavaScript. For example, I've been testing with the basic "scatter" trace type in the linked CodeSandbox. Can you please clarify? I'm trying to understand this library more to see if I even need to look into the |
birkskyum commentedOct 20, 2024
I meant, when considering just mapbox and maplibre traces, it's only mapbox ones - but as you point out there are some generic changes too. |
martian111 commentedOct 20, 2024
I see, thanks! |
Uh oh!
There was an error while loading.Please reload this page.
maryla-uc commentedJan 7, 2025
I don't see any plotly.css file anywhere. Is this expected? Should it be added to the dist/ directory? This feature should also be documented somewhere. Right now I think this PR is the only way to learn about it. |
maryla-uc commentedJan 7, 2025
And note that providing the css file would also help with#1433 (see the last comment for example). |
Support strict Content Security Policies that don't allow unsafe inline styles by:
addRelatedStyleRulecalls to fail without affecting functionality.addRelatedStyleRulefrom running when the static CSS file is already included in the app to prevent superfluous errors in console output.Note: The
dist/plotly.cssfile will need to be added to the release files.Possiblyfixes#2355 Plotly uses inline CSS
This pull request is the result of reviewing and testing Pull Request#6239, which did not work properly when I tested it against the v2.34.0 release tag (the most recent release at the time of testing and over 2 years since that pull request was created). It also incorporate the comments within that pull request to improve on this one.
Expected Results
plotly.cssinto the application in a way allowed by their CSP. A separate build is not required to get this fix.plotly.css.addRelatedStyleRulewill also output a warning message: "Cannot addRelatedStyleRule, probably due to strict CSP..."<div></div>This will cause the
addRelatedStyleRulefunction to not attempt to add the inline styles.Testing
Testing this is a bit tricky to setup, but I do have an basic sandbox created that seems to demonstrate:
plotly-basic.jsfile from the v2.34.0 release.plotly-basic.jspatched with this pull request.CSB has some special quirks, so the CSP was relaxed to allow things to work due to CSB specifics. However, it was not set up to permit unsafe inline styles nor does it contain the sha256 hash of styles inlined by Plotly.
See comments in the
ScatterChart.tsxandindex.htmlfiles.https://kl75h2.csb.app/
https://codesandbox.io/s/kl75h2
Followup Questions
deleteRelatedStyleRuleis no longer used anywhere else in the code. It was used by only inmodebar.jsbefore this change. Should that function be deleted?addStyleRuleis used in two places, both of which are accounted for in this pull request (insrc/registry.jsandbuild/plotcss.js). How should we warn developers in the future who comes across this function? Add comments and/or rename it to something likeaddStyleRuleUnsafelyInline?Limitations
I don't much experience with Plotly.js and have been using it only for a simple scatter chart (like the one in the CSB above). I don't have enough experience to understand if more changes are needed beyond my simple test case and the work done in Pull Request#6239. Hopefully this is still helpful to bring this library closer to supporting strict CSP's.