From fb3356c2837992202deb77ee58755936ef98d206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20Fredrik=20Ki=C3=A6r?= <31612826+anders-kiaer@users.noreply.github.com> Date: Wed, 19 Feb 2020 19:51:14 +0000 Subject: [PATCH] CSP change while waiting for upstream issue in plotly.js (#201) --- README.md | 2 +- webviz_config/_theme_class.py | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f8c6f111..e0a9459e 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ This Python package, `webviz-config`, is the core plugin framework. For a real e - **You know [Python](https://www.python.org/)**, and want to create generic or specialized dashboards you or other users can reuse by simply asking for it in the Webviz configuration file. This can be done without knowing JavaScript (see also [Dash](https://plot.ly/dash/) for more information). - **You know [React](https://reactjs.org/)**, and want to create highly specialized visualization which Python or pure config-file users can reuse. -*Webviz* will create web applications with very :lock: strict security headers and CSP settings, giving an rating of **A+** on e.g. [Mozilla observatory](https://observatory.mozilla.org/). It also facilitates a :whale: Docker setup, where the Python code can be ran completely unpriviliged in a sandbox (both with respect to file system access and network communication). +*Webviz* will create web applications with very :lock: strict security headers and CSP settings, giving an rating of **A+** on e.g. [Mozilla observatory](https://observatory.mozilla.org/) (note that generated applications are temporarily not getting A+ due to [this `plotly.js` issue](https://github.com/plotly/plotly.js/issues/897)). It also facilitates a :whale: Docker setup, where the Python code can be ran completely unpriviliged in a sandbox (both with respect to file system access and network communication). Example configuration file and information about the standard plugins can be seen in [the documentation](https://equinor.github.io/webviz-config/). diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py index d3309c10..acbce353 100644 --- a/webviz_config/_theme_class.py +++ b/webviz_config/_theme_class.py @@ -17,14 +17,15 @@ def __init__(self, theme_name: str): "style-src": ["'self'", "'unsafe-inline'"], # [1] "script-src": [ "'self'", - "'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='", - ], # [2] + "'unsafe-eval'", # [2] + "'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='", # [3] + ], "img-src": ["'self'", "data:"], "navigate-to": "'self'", "base-uri": "'self'", "form-action": "'self'", - "frame-ancestors": "'self'", # [3] - "frame-src": "'self'", # [3] + "frame-ancestors": "'self'", # [4] + "frame-src": "'self'", # [4] "object-src": "'self'", "plugin-types": "application/pdf", } @@ -33,8 +34,10 @@ def __init__(self, theme_name: str): These are the current exceptions to the most strict CSP setup: [1] unsafe-inline for style still needed by plotly (https://github.com/plotly/plotly.js/issues/2355) - [2] https://github.com/plotly/dash/issues/630 - [3] We use 'self' instead of 'none' due to what looks like a Chromium bug, + [2] unsafe-eval still needed for plotly.js bundle + (https://github.com/plotly/plotly.js/issues/897) + [3] https://github.com/plotly/dash/issues/630 + [4] We use 'self' instead of 'none' due to what looks like a Chromium bug, where e.g. pdf's included using is not rendered. Might be related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610 """