CSP not working as stated in documentation

Hi there,

i tried as mentioned here to add
csp = {“default-src”: “‘self’”, “script-src”: [“‘self’”] + app.csp_hashes()}

to Talismans csp rule instead of none but it breaks the application. The log says

dash                 2.9.3


The documentation also just adds the list to the string, which doesn’t work

From the docs:

flask_talisman.Talisman(app.server, content_security_policy= { "default-src": "'self'", "script-src": "'self'" + app.csp_hashes() })

and even if i do define it

csp = {"default-src": "'self'", "style-src": ["'self'"] + app.csp_hashes(), "script-src": ["'self'"] + app.csp_hashes()} Talisman

It still tells me that

sh_renderer.v2_9_3m1682736561.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.

which is weird because i do pass a hash, but it tells me i didn’t even tho it shows me i did.

I also tried to download the plotly-strict.js file and serve it under assets.


Adding each sha string to the csp config helps ofc, but if the components get updated it will break my code.

Hi Volodia,
did the above issue resolved. if yes, can you explain how ?