Support clientside callbacks in plugins

equinor · Sep 6, 2020 · b345075 · b345075
1 parent e23fb93
commit b345075
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased] - YYYY-MM-DD
+### Added
+- [#278](https://github.com/equinor/webviz-config/pull/278) - Plugin authors can now use Dash inline callbacks
+(i.e. `app.clientside_callback(...)`) without being in conflict with the strict
+[CSP rules](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+enforced by `webviz-config` (inline script hashes are added automatically).
+
 ## [0.1.1] - 2020-09-02
 ### Added
 - [#269](https://github.com/equinor/webviz-config/pull/269) - Added an optional argument `screenshot_filename` to `WebvizPluginABC`. Can be used to let plugin authors specify filename used when screenshots of the plugin are saved.

diff --git a/setup.py b/setup.py
@@ -37,7 +37,7 @@
     install_requires=[
         "bleach>=3.1",
         "cryptography>=2.4",
-        "dash>=1.7",
+        "dash>=1.16",
         "flask-caching>=1.4",
         "flask-talisman>=0.6",
         "jinja2>=2.10",

diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py
@@ -18,14 +18,13 @@ def __init__(self, theme_name: str):
             "script-src": [
                 "'self'",
                 "'unsafe-eval'",  # [2]
-                "'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='",  # [3]
             ],
             "img-src": ["'self'", "data:"],
             "navigate-to": "'self'",
             "base-uri": "'self'",
             "form-action": "'self'",
             "frame-ancestors": "'self'",  # [4]
-            "frame-src": "'self'",  # [4]
+            "frame-src": "'self'",  # [3]
             "object-src": "'self'",
             "plugin-types": "application/pdf",
         }
@@ -36,8 +35,7 @@ def __init__(self, theme_name: str):
                 (https://github.com/plotly/plotly.js/issues/2355)
             [2] unsafe-eval still needed for plotly.js bundle
                 (https://github.com/plotly/plotly.js/issues/897)
-            [3] https://github.com/plotly/dash/issues/630
-            [4] We use 'self' instead of 'none' due to what looks like a Chromium bug,
+            [3] We use 'self' instead of 'none' due to what looks like a Chromium bug,
                 where e.g. pdf's included using <embed> is not rendered. Might be
                 related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610
         """

diff --git a/webviz_config/templates/webviz_template.py.jinja2 b/webviz_config/templates/webviz_template.py.jinja2
@@ -55,8 +55,6 @@ app.webviz_settings = {
 
 CACHE.init_app(server)
 
-Talisman(server, content_security_policy=theme.csp, feature_policy=theme.feature_policy)
-
 WEBVIZ_STORAGE.use_storage = {{portable}}
 WEBVIZ_STORAGE.storage_folder = path.join(
     path.dirname(path.realpath(__file__)), "webviz_storage"
@@ -107,6 +105,9 @@ else:
 
 {{ "WEBVIZ_ASSETS.directly_host_assets(app)" if not portable else ""}}
 
+theme.adjust_csp({"script-src": app.csp_hashes()}, append=True)
+Talisman(server, content_security_policy=theme.csp, feature_policy=theme.feature_policy)
+
 if __name__ == "__main__":
     # This part is ignored when the webviz app is started
     # using Docker container and uwsgi (e.g. when hosted on Azure).