Support clientside callbacks in plugins

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased] - YYYY-MM-DD
+### Added
+- [#278](https://github.com/equinor/webviz-config/pull/278) - Plugin authors can now use Dash inline callbacks
+(i.e. `app.clientside_callback(...)`) without being in conflict with the strict
+[CSP rules](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+enforced by `webviz-config` (inline script hashes are added automatically).
+
 ## [0.1.2] - 2020-09-09
 ### Added
 - [#279](https://github.com/equinor/webviz-config/pull/279) - Added scrollbar to menu (when larger than screen size).

setup.py

@@ -37,7 +37,7 @@
     install_requires=[
         "bleach>=3.1",
         "cryptography>=2.4",
-        "dash>=1.7",
+        "dash>=1.16",
         "flask-caching>=1.4",
         "flask-talisman>=0.6",
         "jinja2>=2.10",

webviz_config/_theme_class.py

@@ -18,14 +18,13 @@ def __init__(self, theme_name: str):
             "script-src": [
                 "'self'",
                 "'unsafe-eval'",  # [2]
-                "'sha256-jZlsGVOhUAIcH+4PVs7QuGZkthRMgvT2n0ilH6/zTM0='",  # [3]
             ],
             "img-src": ["'self'", "data:"],
             "navigate-to": "'self'",
             "base-uri": "'self'",
             "form-action": "'self'",
-            "frame-ancestors": "'self'",  # [4]
-            "frame-src": "'self'",  # [4]
+            "frame-ancestors": "'self'",  # [3]
+            "frame-src": "'self'",  # [3]
             "object-src": "'self'",
             "plugin-types": "application/pdf",
         }
@@ -36,8 +35,7 @@ def __init__(self, theme_name: str):
                 (https://github.com/plotly/plotly.js/issues/2355)
             [2] unsafe-eval still needed for plotly.js bundle
                 (https://github.com/plotly/plotly.js/issues/897)
-            [3] https://github.com/plotly/dash/issues/630
-            [4] We use 'self' instead of 'none' due to what looks like a Chromium bug,
+            [3] We use 'self' instead of 'none' due to what looks like a Chromium bug,
                 where e.g. pdf's included using <embed> is not rendered. Might be
                 related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610
         """

webviz_config/templates/webviz_template.py.jinja2

@@ -55,6 +55,7 @@ app.webviz_settings = {
 
 CACHE.init_app(server)
 
+theme.adjust_csp({"script-src": app.csp_hashes()}, append=True)
 Talisman(server, content_security_policy=theme.csp, feature_policy=theme.feature_policy)
 
 WEBVIZ_STORAGE.use_storage = {{portable}}