From b5a3976b5c888356a98bc11ef25a0cce5f96a42a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20Fredrik=20Ki=C3=A6r?=
 <31612826+anders-kiaer@users.noreply.github.com>
Date: Tue, 6 Oct 2020 14:32:48 +0200
Subject: [PATCH] Support plotly.js screenshot download (#321)

---
 CHANGELOG.md                  |  5 ++++-
 webviz_config/_theme_class.py | 11 +++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 69e2e3d1..50238559 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [UNRELEASED] - YYYY-MM-DD
 
 ### Changed
-
 - [#230](https://github.com/equinor/webviz-config/pull/230) - Instead of using
 `dcc.Tabs` to give the impression of a "multipage app", webviz now uses `dcc.Link` and
 `dcc.Location`. This has two main advantages: Big applications can have significantly
@@ -18,6 +17,10 @@ authors should check that persistence is set to `session` on Dash components the
 if they want user selections to remain across "page" changes. In order to get more
 easily typed URLs, runtime generated page IDs now use `-` instead of `_` for spaces.
 
+### Fixed
+- [#321](https://github.com/equinor/webviz-config/pull/321) - Allowed for `blob:`
+in `img-src` CSP such that `plotly.js` "Download to png" works properly.
+
 ## [0.1.4] - 2020-09-24
 
 ### Added
diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py
index 50529869..1c27a0cd 100644
--- a/webviz_config/_theme_class.py
+++ b/webviz_config/_theme_class.py
@@ -19,12 +19,12 @@ def __init__(self, theme_name: str):
                 "'self'",
                 "'unsafe-eval'",  # [2]
             ],
-            "img-src": ["'self'", "data:"],
+            "img-src": ["'self'", "data:", "blob:"],  # [3]
             "navigate-to": "'self'",
             "base-uri": "'self'",
             "form-action": "'self'",
-            "frame-ancestors": "'self'",  # [3]
-            "frame-src": "'self'",  # [3]
+            "frame-ancestors": "'self'",  # [4]
+            "frame-src": "'self'",  # [4]
             "object-src": "'self'",
             "plugin-types": "application/pdf",
         }
@@ -35,7 +35,10 @@ def __init__(self, theme_name: str):
                 (https://github.com/plotly/plotly.js/issues/2355)
             [2] unsafe-eval still needed for plotly.js bundle
                 (https://github.com/plotly/plotly.js/issues/897)
-            [3] We use 'self' instead of 'none' due to what looks like a Chromium bug,
+            [3] html2canvas in webviz-core-components needs "data:" in img-src to create
+                screenshots, while plotly.js "Download screenshot to png" requires
+                "blob:" in img-src.
+            [4] We use 'self' instead of 'none' due to what looks like a Chromium bug,
                 where e.g. pdf's included using <embed> is not rendered. Might be
                 related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610
         """