Hi there,
i tried as mentioned here to add
csp = {“default-src”: “‘self’”, “script-src”: [“‘self’”] + app.csp_hashes()}
to Talismans csp rule instead of none but it breaks the application. The log says
dash 2.9.3
dash-bootstrap-components==1.4.1
The documentation also just adds the list to the string, which doesn’t work
From the docs:
flask_talisman.Talisman(app.server, content_security_policy= { "default-src": "'self'", "script-src": "'self'" + app.csp_hashes() })
and even if i do define it
csp = {"default-src": "'self'", "style-src": ["'self'"] + app.csp_hashes(), "script-src": ["'self'"] + app.csp_hashes()} Talisman
It still tells me that
sh_renderer.v2_9_3m1682736561.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.
which is weird because i do pass a hash, but it tells me i didn’t even tho it shows me i did.
I also tried to download the plotly-strict.js file and serve it under assets.
Adding each sha string to the csp config helps ofc, but if the components get updated it will break my code.