Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve CSP Documentation & Consider Full CSP Compliance in Plotly.js #7349

Open
safroze-plotly opened this issue Jan 29, 2025 · 1 comment
Open

Improve CSP Documentation & Consider Full CSP Compliance in Plotly.js #7349

safroze-plotly opened this issue Jan 29, 2025 · 1 comment
Assignees
@emilykl
Labels
cs customer success documentation written for humans feature something new P1 needed for current cycle

Comments

@safroze-plotly
Copy link

Title: Improve CSP Documentation & Consider Full CSP Compliance in Plotly.js

Description

Plotly.js provides a strict CSP bundle for users with strong Content Security Policies (CSP), but clear documentation is missing on:

  • What’s included/excluded in the strict bundle
  • Known limitations and workarounds

Enterprise customers and community users (e.g., this forum post) have requested better CSP support and clarity. The strict bundle exists (plotly-strict.js), but its usage is not well-documented.

Proposed Actions

  1. Document the strict bundle’s capabilities, limitations, and integration steps.
  2. Provide examples for CSP-compliant usage in Dash & JS.
  3. Evaluate full CSP compliance for Plotly.js instead of maintaining a separate bundle.
    • Internal enterprise customers have requested a fully CSP-compliant version.
    • Can the main plotly.js bundle be refactored to remove eval and inline scripts?

Why This Matters

  • CSP restrictions block adoption in security-sensitive environments.
  • Clear documentation would prevent confusion and production roadblocks.
  • Growing demand from enterprises & community users for strict CSP support.

Can the team consider making the main bundle fully CSP-compliant? Are there technical challenges or funding requirements for this? 🚀
@safroze-plotly safroze-plotly added feature something new documentation written for humans labels Jan 29, 2025
@ndrezn ndrezn added the cs customer success label Jan 29, 2025
@safroze-plotly
Copy link
Author

ag-grid csp coverage - https://www.ag-grid.com/charts/javascript/security/

@gvwilson gvwilson added the P1 needed for current cycle label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emilykl emilykl

Labels
cs customer success documentation written for humans feature something new P1 needed for current cycle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gvwilson @emilykl @ndrezn @safroze-plotly