From 306f445ec235cf003ce2ef853df0b589ffa40c28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20Fredrik=20Ki=C3=A6r?= <akia@equinor.com>
Date: Thu, 3 Sep 2020 21:04:27 +0200
Subject: [PATCH] Support clientside callbacks in plugins

---
 CHANGELOG.md                                      | 7 +++++++
 setup.py                                          | 2 +-
 webviz_config/_theme_class.py                     | 4 +---
 webviz_config/templates/webviz_template.py.jinja2 | 1 +
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c4f03f60..5657d959 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased] - YYYY-MM-DD
+### Added
+- [#278](https://github.com/equinor/webviz-config/pull/278) - Plugin authors can now use Dash inline callbacks
+(i.e. `app.clientside_callback(...)`) without being in conflict with the strict
+[CSP rules](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+enforced by `webviz-config` (inline script hashes are added automatically).
+
 ## [0.1.2] - 2020-09-09
 ### Added
 - [#279](https://github.com/equinor/webviz-config/pull/279) - Added scrollbar to menu (when larger than screen size).
diff --git a/setup.py b/setup.py
index 59b18b1a..43495679 100644
--- a/setup.py
+++ b/setup.py
@@ -37,7 +37,7 @@
     install_requires=[
         "bleach>=3.1",
         "cryptography>=2.4",
-        "dash>=1.7",
+        "dash>=1.16",
         "flask-caching>=1.4",
         "flask-talisman>=0.6",
         "jinja2>=2.10",
diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py
index 71f1762d..57fca9fb 100644
--- a/webviz_config/_theme_class.py
+++ b/webviz_config/_theme_class.py
@@ -18,7 +18,6 @@ def __init__(self, theme_name: str):
             "script-src": [
                 "'self'",
                 "'unsafe-eval'",  # [2]
-                "'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='",  # [3]
             ],
             "img-src": ["'self'", "data:"],
             "navigate-to": "'self'",
@@ -36,8 +35,7 @@ def __init__(self, theme_name: str):
                 (https://github.com/plotly/plotly.js/issues/2355)
             [2] unsafe-eval still needed for plotly.js bundle
                 (https://github.com/plotly/plotly.js/issues/897)
-            [3] https://github.com/plotly/dash/issues/630
-            [4] We use 'self' instead of 'none' due to what looks like a Chromium bug,
+            [3] We use 'self' instead of 'none' due to what looks like a Chromium bug,
                 where e.g. pdf's included using <embed> is not rendered. Might be
                 related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610
         """
diff --git a/webviz_config/templates/webviz_template.py.jinja2 b/webviz_config/templates/webviz_template.py.jinja2
index a3a4f803..51931850 100644
--- a/webviz_config/templates/webviz_template.py.jinja2
+++ b/webviz_config/templates/webviz_template.py.jinja2
@@ -55,6 +55,7 @@ app.webviz_settings = {
 
 CACHE.init_app(server)
 
+theme.adjust_csp({"script-src": app.csp_hashes()}, append=True)
 Talisman(server, content_security_policy=theme.csp, feature_policy=theme.feature_policy)
 
 WEBVIZ_STORAGE.use_storage = {{portable}}