Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] CSP #16610

Closed
QimatLuo opened this issue Mar 2, 2022 · 5 comments · Fixed by ecomfe/zrender#1030
Closed

[Bug] CSP #16610

QimatLuo opened this issue Mar 2, 2022 · 5 comments · Fixed by ecomfe/zrender#1030
Labels
bug en This issue is in English

Comments

@QimatLuo
Copy link

QimatLuo commented Mar 2, 2022

Version

5.3.0

Link to Minimal Reproduction

No response

Steps to Reproduce

Update CSP header to not use unsafe-inline.

Current Behavior

image

Expected Behavior

No CSP error.

Environment

- OS: Windows
- Browser: Chrome
- Framework: Vue@2

Any additional comments?

Vuetify supports https://vuetifyjs.com/en/features/theme/#csp-nonce
Not sure it works for ECharts.
@QimatLuo QimatLuo added the bug label Mar 2, 2022
@echarts-bot echarts-bot bot added en This issue is in English pending We are not sure about whether this is a bug/new feature. waiting-for: community labels Mar 2, 2022
@HK-Zhang
Copy link

HK-Zhang commented Mar 8, 2022

looking for solution for the same issue.

@alexisreis
Copy link

Same issue here...

@work933k
Copy link

Same here

NexediGitlab pushed a commit to Nexedi/erp5 that referenced this issue Sep 8, 2023
@perrinjerome
officejs: stop using unsafe web section in echarts gadget
50f5cc7 
To work 100% this needs "style-src: unsafe-inline" in the CSP, without
this the popup on hover does not show the series color - which in our
case is better than using the CSP.

also drop obsolete appcache, browsers no longer use this.

reference ossie: apache/echarts#16610 on github
NexediGitlab pushed a commit to Nexedi/erp5 that referenced this issue Sep 8, 2023
@perrinjerome
officejs: stop using unsafe web section in echarts gadget
919df36 
To work 100% this needs "style-src: unsafe-inline" in the CSP, without
this the popup on hover does not show the series color - which in our
case is better than using the CSP.

also drop obsolete appcache, browsers no longer use this.

reference: apache/echarts#16610
@alxnddr
Copy link

alxnddr commented Sep 12, 2023

We are also having this issue and unfortunately we are unable to use unsafe-inline

@work933k
Copy link

The issue is that the "marker" is implemented using inline styling. I implemented a workaround by creating the marker myself in the formatter:

formatter: (param: any[]) => {
        const { axisValue } = param[0] || [];

        param.forEach(({ seriesName, value, color }) => {
          // create CSP compliant marker
          const marker = `<span class="marker" data-color="${color}"></span>`;
          tooltip += `${marker} ${seriesName}: ${value}%<br />`;
        });

        return tooltip;
      },

And also the colors need to be implemented scss-part:

::ng-deep {
  .marker {
    display: inline-block;
    margin-right: 4px;
    border-radius: 10px;
    width: 10px;
    height: 10px;

    &[data-color='#F0CF84'] {
      background-color: #f0cf84;
    }

    &[data-color='#B66728'] {
      background-color: #b66728;
    }

@alxnddr alxnddr mentioned this issue Sep 18, 2023
Merged
@plainheart plainheart removed pending We are not sure about whether this is a bug/new feature. waiting-for: community labels Sep 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug en This issue is in English
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(svg): fix assigning style attribute does not work when CSP is enforced alxnddr/zrender
6 participants
@HK-Zhang @QimatLuo @alxnddr @plainheart @alexisreis @work933k