Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Forced to use 'unsafe-eval' and 'unsafe-inline' in CSP #1794

Closed
shadydealer opened this issue Oct 6, 2021 · 3 comments
Closed

[BUG] Forced to use 'unsafe-eval' and 'unsafe-inline' in CSP #1794

shadydealer opened this issue Oct 6, 2021 · 3 comments

Comments

@shadydealer
Copy link

shadydealer commented Oct 6, 2021

Describe your context
python 3.8

dash                      2.0.0
dash-bootstrap-components 1.0.0b3
dash-core-components      2.0.0
dash-html-components      2.0.0
dash-table                5.0.0

Describe the bug
I'm trying to setup a dash with flask along with talisman like so:

server = flask.Flask(__name__)

# Setup the Dash app
app = dash.Dash(
    "Test App",
    suppress_callback_exceptions=True,
    external_stylesheets=[dbc.themes.BOOTSTRAP],
    server=server,
)

flask_talisman.Talisman(
    server,
    content_security_policy= {
        "default-src": [
            "'self'",
            ...
        ],
        "style-src": [
            "'self'",
            ...
        ],
        "img-src": [
            "'self'",
            ...
        ],
        "script-src": [
            "'self'",
            ...
        ] + app.csp_hashes(),
    }
)

But the following errors occur in Firefox 92.0:

Uncaught EvalError: call to eval() blocked by CSP
    js http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7383
    __webpack_require__ http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7440
    <anonymous> http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7523
    <anonymous> http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7527
dash_renderer.v2_0_0m1633506978.dev.js:7383:1
Some cookies are misusing the recommended “SameSite“ attribute 2
Uncaught ReferenceError: DashRenderer is not defined
    <anonymous> http://localhost:8050/:30
localhost:8050:30:16
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). dash_renderer.v2_0_0m1633506978.dev.js:7383
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). input.css:38:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). input.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). logout.css:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). logout.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). [email protected]:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). [email protected]:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). _datepicker.css:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). _datepicker.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). [email protected]:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). [email protected]:20:12

And the only way I could get them to work is by setting the content security policy like so:

    content_security_policy = {
        "default-src": [
            "'self'",
            ...
        ],
        "style-src": [
            "'self'",
            "'unsafe-inline'",
            ...
        ],
        "img-src": [
            "'self'",
            ...
        ],
        "script-src": [
            "'self'",
            "'unsafe-eval'",
            ...
        ] + app.csp_hashes(),
    }

Note the 'unsafe-eval' in the script-src directive and the 'unsafe-inline' in the style-src directive.

However this is bad

The reason is that all of those files have either an Python eval() statement in them or, in the case of the stylesheets, are inserting style elements dynamically.

Expected behavior

Should be able to define CSP without having to use 'unsafe-eval' and 'unsafe-inline'

@anders-kiaer
Copy link
Contributor

anders-kiaer commented Oct 6, 2021

dash itself (at least last time I checked, which was dash<2.0) is compatible with a strict CSP. I.e. you don't need unsafe-eval or unsafe-inline for the Dash framework itself, however if you e.g. use dcc (which most/all Dash apps will) you would as you describe need unsafe-eval (unless you use a smaller plotly.js bundle), together with unsafe-inline (coming both from the way dcc is currently built, and from plotly.js, as far as I recall)..

Related issues/PR:

@anders-kiaer
Copy link
Contributor

@shadydealer According to https://github.com/plotly/dash/blob/dev/CHANGELOG.md#230---2022-03-13 you can now avoid unsafe-eval CSP exception for all trace types (by using the plotly.js strict bundle).

@gvwilson
Copy link
Contributor

Hi - we are tidying up stale issues and PRs in Plotly's public repositories so that we can focus on things that are most important to our community. If this issue is still a concern, please add a comment letting us know what recent version of our software you've checked it with so that I can reopen it and add it to our backlog. (Please note that we will give priority to reports that include a short reproducible example.) If you'd like to submit a PR, we'd be happy to prioritize a review, and if it's a request for tech support, please post in our community forum. Thank you - @gvwilson

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants