Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csp blocks plotly on staging release #2270

Open
id2359 opened this issue Nov 25, 2022 · 15 comments
Open

csp blocks plotly on staging release #2270

id2359 opened this issue Nov 25, 2022 · 15 comments
Assignees
@id2359
Labels
dashboards security staging

Comments

@id2359
Copy link
Member

id2359 commented Nov 25, 2022

dash/plotly gets blocked by our security settings in prod ( on staging build):

viz for 6.6.37:

patients:239 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-C1os+RYAmOlAWr0Ai0qZjA=='". Either the 'unsafe-inline' keyword, a hash ('sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg='), or a nonce ('nonce-...') is required to enable inline execution.

patients:246 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-C1os+RYAmOlAWr0Ai0qZjA=='". Either the 'unsafe-inline' keyword, a hash ('sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY='), or a nonce ('nonce-...') is required to enable inline execution.

rdrf.ccgapps.com.au/:9 Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

10Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:31 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='), or a nonce ('nonce-...') is required to enable inline execution.

rdrf.ccgapps.com.au/:1 Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

DevTools failed to load source map: Could not load content for https://rdrf.ccgapps.com.au/cicclinical/static/js/vendor/underscore-min.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
@id2359 id2359 self-assigned this Nov 25, 2022
@id2359
Copy link
Member Author

id2359 commented Nov 28, 2022

plotly/dash#1794

@id2359
Copy link
Member Author

id2359 commented Nov 28, 2022

A comment on the above ticket suggests this can be fixed by using the "strict" plotly js bundle:

https://github.com/plotly/dash/blob/dev/CHANGELOG.md#230---2022-03-13

@id2359
Copy link
Member Author

id2359 commented Nov 28, 2022

comment there says:

Updated
plotly/dash#2016, plotly/dash#2032, and plotly/dash#2042 Widespread dependency upgrades
Upgrade Plotly.js to v2.12.1 (from v2.11.0).
Feature release 2.12.0 adds minor ticks and gridlines, as well as dashed gridlines.
Patch release 2.11.1 fixes regl-based traces in strict CSP mode, however you must manually switch to the strict bundle to use this.
Patch release 2.12.1 fixes several bugs.
Upgrade black to v22.3.0 for Python 3.7+ - if you use dash[ci] and you call black, this may alter your code formatting slightly, including more consistently breaking Python 2 compatibility.
Many other mainly JS dependency upgrades to the internals of Dash renderer and components. These may patch bugs or improve performance.

@id2359
Copy link
Member Author

id2359 commented Nov 28, 2022

The question is whether we can switch to this ,or is django-ploty-dash specifying it? Don't know at this stage.

@id2359
Copy link
Member Author

id2359 commented Nov 28, 2022

maybe able to do this?

https://stackoverflow.com/questions/35014990/because-it-violates-the-following-content-security-policy-directive-style-src

id2359 added a commit that referenced this issue Nov 28, 2022
@id2359
rdrf #2270 added meta header for csp fix
fb8701e
@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022
edited
Loading

Switched on CSP back again on staging just now to check

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-jux+iLD9uLzl/Rx7/Ph2/w=='". Either the 'unsafe-inline' keyword, a hash ('sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg='), or a nonce ('nonce-...') is required to enable inline execution.

patients:246 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'nonce-jux+iLD9uLzl/Rx7/Ph2/w=='". Either the 'unsafe-inline' keyword, a hash ('sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY='), or a nonce ('nonce-...') is required to enable inline execution.

rdrf.ccgapps.com.au/:1 Failed to load resource: the server responded with a status of 500 ()
DevTools failed to load source map: Could not load content for https://rdrf.ccgapps.com.au/cicclinical/static/js/vendor/underscore-min.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

The 1st inline style in question is:

 <br>Time taken: 1.193978 seconds</br>
    <div style="
    position: relative;
    padding-bottom: 50.0%;
    height: 0;
    overflow:hidden;

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

2nd inline style is the embedded iframe inline style

<iframe src="/cicclinical/dash/app/App/" style="
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    " frameborder="0" sandbox="allow-downloads allow-scripts allow-same-origin"></iframe>

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

Third error is

Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

10Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/@babel/polyfill@7.12.1/dist/polyfill.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/react@16.14.0/umd/react.production.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/react-dom@16.14.0/umd/react-dom.production.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

/cicclinical/dash/app/App/:1 Refused to load the script 'https://unpkg.com/prop-types@15.8.1/prop-types.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-bootstrap-components@0.13.1/dist/dash_bootstrap_components.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-renderer@1.14.2/build/dash_renderer.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components-shared.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-html-components@2.0.5/dash_html_components/dash_html_components.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

rdrf.ccgapps.com.au/:1 Refused to load the script 'https://unpkg.com/dash-table@5.1.6/dash_table/bundle.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

4th:

Refused to load the stylesheet 'https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE='". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

errors on this page
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
      <meta charset="UTF-8">
      <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Dash</title>
        
        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    </head>
    <body>
        
<div id="react-entry-point">
  <div class="_dash-loading">
    Loading...
  </div>
</div>

        <footer>
            <script id="_dash-config" type="application/json">{"url_base_pathname":"/cicclinical/dash/app/App/","requests_pathname_prefix":"/cicclinical/dash/app/App/","ui":false,"props_check":false,"show_undo_redo":false,"suppress_callback_exceptions":false,"update_title":"Updating...","children_props":{"dash_core_components":{"Checklist":["options[].label"],"Clipboard":[],"ConfirmDialog":[],"ConfirmDialogProvider":[],"DatePickerRange":[],"DatePickerSingle":[],"Download":[],"Dropdown":["options[].label"],"Graph":[],"Input":[],"Interval":[],"Link":[],"Loading":[],"Location":[],"LogoutButton":[],"Markdown":[],"RadioItems":["options[].label"],"RangeSlider":[],"Slider":[],"Store":[],"Tab":[],"Tabs":[],"Textarea":[],"Tooltip":[],"Upload":[]},"dash_html_components":{"A":[],"Abbr":[],"Acronym":[],"Address":[],"Area":[],"Article":[],"Aside":[],"Audio":[],"B":[],"Base":[],"Basefont":[],"Bdi":[],"Bdo":[],"Big":[],"Blink":[],"Blockquote":[],"Br":[],"Button":[],"Canvas":[],"Caption":[],"Center":[],"Cite":[],"Code":[],"Col":[],"Colgroup":[],"Content":[],"Data":[],"Datalist":[],"Dd":[],"Del":[],"Details":[],"Dfn":[],"Dialog":[],"Div":[],"Dl":[],"Dt":[],"Em":[],"Embed":[],"Fieldset":[],"Figcaption":[],"Figure":[],"Font":[],"Footer":[],"Form":[],"Frame":[],"Frameset":[],"H1":[],"H2":[],"H3":[],"H4":[],"H5":[],"H6":[],"Header":[],"Hgroup":[],"Hr":[],"I":[],"Iframe":[],"Img":[],"Ins":[],"Kbd":[],"Keygen":[],"Label":[],"Legend":[],"Li":[],"Link":[],"Main":[],"MapEl":[],"Mark":[],"Marquee":[],"Meta":[],"Meter":[],"Nav":[],"Nobr":[],"Noscript":[],"ObjectEl":[],"Ol":[],"Optgroup":[],"Option":[],"Output":[],"P":[],"Param":[],"Picture":[],"Plaintext":[],"Pre":[],"Progress":[],"Q":[],"Rb":[],"Rp":[],"Rt":[],"Rtc":[],"Ruby":[],"S":[],"Samp":[],"Script":[],"Section":[],"Select":[],"Shadow":[],"Slot":[],"Small":[],"Source":[],"Spacer":[],"Span":[],"Strike":[],"Strong":[],"Sub":[],"Summary":[],"Sup":[],"Table":[],"Tbody":[],"Td":[],"Template":[],"Textarea":[],"Tfoot":[],"Th":[],"Thead":[],"Time":[],"Title":[],"Tr":[],"Track":[],"U":[],"Ul":[],"Var":[],"Video":[],"Wbr":[],"Xmp":[]},"dash_table":{"DataTable":[]},"dash_bootstrap_components":{"Alert":null,"Badge":null,"Button":null,"ButtonGroup":null,"Carousel":null,"Collapse":null,"Fade":null,"Jumbotron":null,"Label":null,"Progress":null,"Spinner":null,"Table":null,"Toast":null,"Tooltip":null,"Card":null,"CardBody":null,"CardColumns":null,"CardDeck":null,"CardFooter":null,"CardGroup":null,"CardHeader":null,"CardImg":null,"CardImgOverlay":null,"CardLink":null,"DropdownMenu":null,"DropdownMenuItem":null,"Form":null,"FormFeedback":null,"FormGroup":null,"FormText":null,"Checkbox":null,"Checklist":null,"Input":null,"InputGroup":null,"InputGroupAddon":null,"InputGroupText":null,"RadioButton":null,"RadioItems":null,"Select":null,"Textarea":null,"Col":null,"Container":null,"Row":null,"ListGroup":null,"ListGroupItem":null,"ListGroupItemHeading":null,"ListGroupItemText":null,"Modal":null,"ModalBody":null,"ModalFooter":null,"ModalHeader":null,"Nav":null,"NavItem":null,"NavLink":null,"Navbar":null,"NavbarBrand":null,"NavbarSimple":null,"NavbarToggler":null,"Popover":null,"PopoverBody":null,"PopoverHeader":null,"Tab":null,"Tabs":null}}}</script>
            <script src="https://unpkg.com/@babel/polyfill@7.12.1/dist/polyfill.min.js"></script>
<script src="https://unpkg.com/react@16.14.0/umd/react.production.min.js"></script>
<script src="https://unpkg.com/react-dom@16.14.0/umd/react-dom.production.min.js"></script>
<script src="https://unpkg.com/prop-types@15.8.1/prop-types.min.js"></script>
<script src="https://unpkg.com/dash-bootstrap-components@0.13.1/dist/dash_bootstrap_components.min.js"></script>
<script src="https://unpkg.com/dash-renderer@1.14.2/build/dash_renderer.min.js"></script>
<script src="https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components.js"></script>
<script src="https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components-shared.js"></script>
<script src="https://unpkg.com/dash-html-components@2.0.5/dash_html_components/dash_html_components.min.js"></script>
<script src="https://unpkg.com/dash-table@5.1.6/dash_table/bundle.js"></script>
            <script id="_dash-renderer" type="application/javascript">var renderer = new DashRenderer();</script>
        </footer>
    </body>
</html>

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

5th same page above:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='), or a nonce ('nonce-...') is required to enable inline execution.

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

Looking at the network tab in the dev tools

The following urls get blocked by CSP

https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css
https://unpkg.com/@babel/polyfill@7.12.1/dist/polyfill.min.js
https://unpkg.com/react@16.14.0/umd/react.production.min.js
https://unpkg.com/react-dom@16.14.0/umd/react-dom.production.min.js
https://unpkg.com/prop-types@15.8.1/prop-types.min.js
https://unpkg.com/dash-bootstrap-components@0.13.1/dist/dash_bootstrap_components.min.js
https://unpkg.com/dash-renderer@1.14.2/build/dash_renderer.min.js
https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components.js
https://unpkg.com/dash-core-components@2.6.2/dash_core_components/dash_core_components-shared.js
https://unpkg.com/dash-html-components@2.0.5/dash_html_components/dash_html_components.min.js
https://unpkg.com/dash-table@5.1.6/dash_table/bundle.js

@id2359
Copy link
Member Author

id2359 commented Nov 29, 2022

We're already adding sha's in our settings.py so will do the same

@id2359
Copy link
Member Author

id2359 commented Nov 30, 2022

I added the CDNs to settings but still see the following:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

dash_renderer.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

t.exports @ dash_renderer.min.js:2
input.css?4f77:23 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

rn.insert @ input.css?4f77:23
logout.css?d957:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

$n.insert @ logout.css?d957:25
react-select@1.0.0-rc.3.min.css?908f:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

cr.insert @ react-select@1.0.0-rc.3.min.css?908f:25
_datepicker.css?6084:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

ro.insert @ _datepicker.css?6084:25
react-dates@20.1.0-fix.css?ebb9:25 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

ao.insert @ react-dates@20.1.0-fix.css?ebb9:25
dash_renderer.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.

t.exports @ dash_renderer.min.js:2
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-sRHUAGt9ONGMkVZY2UJpeiT970IWYM4AxNpdEpA4eVM='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-H0FnToUY2QAEbiVZj6MU+9AFUyO6VbXPIOIYtImS2+E='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ABAc/jP5jh9nYJA7dYY8KPn0WqF3usdABF0UiJapWTE='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-qlaSExM3UfafWRGtQM+djrxS6Hb+PJ7vCyWVeRtS3Ks='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
styleTagTransform.js:12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-ILezS+pYH/m5JXDQav+PE/702qHfcybyTQN3LgCWO8Y=' 'sha256-95UDRqT5lxsVhRRfuJa6qGWsZAFhKXqS7cvo1bxVHcE=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0=' 'sha256-79N0PCus1ItTrODBcppilxJWMQWeWolzFPLtXZFXRSg=' 'sha256-emeTF2a3X40J0nFSPvpt1OLLXerDe/PvLorOzUezxdY=' stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-fi04yeslikPhs9Ak7XcrUns+Fv5eu7dctbXYyNUoPKc='), or a nonce ('nonce-...') is required to enable inline execution.

e.exports @ styleTagTransform.js:12
localhost/:31 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-r8Ei+YwP2DFcnblmk8Dzmb7Kh1iRT/3fv8R9JsfGd/Y=' 'sha256-hrJUUQGqwvUn6vHiNbJvnKMvoNUImDZW4BWYS1+DveE=' 'sha256-zd5y/MAtmfhfwgK8yvn/mFUcFE7BXp6UcAv3jnE5zZw=' 'sha256-ehPVrgdV2GwJCE7DAMSg8aCgaSH3TZmA66nZZv8XrTg=' 'sha256-hrJUUQGqwvUn6vHiNbJvnKMvoNUImDZW4BWYS1+DveE=' unpkg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='), or a nonce ('nonce-...') is required to enable inline execution.

@id2359
Copy link
Member Author

id2359 commented Nov 30, 2022

plotly/dash#1371

This allows inline script hashes to be calculated of the dash app

But Django dash is a wrapper , so need to figure out how to call it , or subclass the code

id2359 added a commit that referenced this issue Dec 2, 2022
@id2359
rdrf #2270 started wrapper
9dfd6ad
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@id2359 id2359

Labels
dashboards security staging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@id2359