CSP not working as stated in documentation

Hi there,

i tried as mentioned here to add
csp = {“default-src”: “‘self’”, “script-src”: [“‘self’”] + app.csp_hashes()}

to Talismans csp rule instead of none but it breaks the application. The log says

dash                 2.9.3
dash-bootstrap-components==1.4.1

image

The documentation also just adds the list to the string, which doesn’t work

From the docs:

flask_talisman.Talisman(app.server, content_security_policy= { "default-src": "'self'", "script-src": "'self'" + app.csp_hashes() })

and even if i do define it

csp = {"default-src": "'self'", "style-src": ["'self'"] + app.csp_hashes(), "script-src": ["'self'"] + app.csp_hashes()} Talisman

It still tells me that

sh_renderer.v2_9_3m1682736561.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='". Either the 'unsafe-inline' keyword, a hash ('sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='), or a nonce ('nonce-...') is required to enable inline execution.

which is weird because i do pass a hash, but it tells me i didn’t even tho it shows me i did.

I also tried to download the plotly-strict.js file and serve it under assets.

image

Adding each sha string to the csp config helps ofc, but if the components get updated it will break my code.

Hi Volodia,
did the above issue resolved. if yes, can you explain how ?

I found that app.csp_hashes gets the dash specific hashes but does not include the underlying react script hashes. These have to be added manually.

I was able to get this to work by running my app in Chrome which will tell you the required hash you need for a specific javascript function that violates your CSP. You can find these in developer tools (F12) in the console windows’s errors.

When you add them to your script-src' array make sure you wrap them in double quotes and single quotes. It should look something like “script-src”: [ "sha256-wKzwDrQnyKb+4IbV1MhV5fbWlmLadU/ahGg5cucHwgg='"]

Do the same for style-src as well.

Other than that, the docs are accurate.

A great guide for this stuff is here : https://content-security-policy.com/