CSP not working as stated in documentation

Hi there,

i tried as mentioned here to add
csp = {“default-src”: “‘self’”, “script-src”: [“‘self’”] + app.csp_hashes()}

to Talismans csp rule instead of none but it breaks the application. The log says

dash                 2.9.3
dash-bootstrap-components==1.4.1

image

The documentation also just adds the list to the string, which doesn’t work

From the docs:

flask_talisman.Talisman(app.server, content_security_policy= { "default-src": "'self'", "script-src": "'self'" + app.csp_hashes() })

and even if i do define it

csp = {"default-src": "'self'", "style-src": ["'self'"] + app.csp_hashes(), "script-src": ["'self'"] + app.csp_hashes()} Talisman

It still tells me that

sh_renderer.v2_9_3m1682736561.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.

which is weird because i do pass a hash, but it tells me i didn’t even tho it shows me i did.

I also tried to download the plotly-strict.js file and serve it under assets.

image

Adding each sha string to the csp config helps ofc, but if the components get updated it will break my code.