CSP Compatibility #828

Closed
dnschnur opened this Issue Sep 28, 2012 · 4 comments

Comments

Projects
None yet
2 participants
@dnschnur
Member

dnschnur commented Sep 28, 2012

Original author: anthonyr...@gmail.com (August 31, 2012 22:03:45)

Currently, as it stands, flot is not compatible with the strict modes of the new HTML5 Content Security Policy.

CSP is designed to impose strict restrictions on the scope of damage that can be done in the event of XSS and various other content injections. The full spec can be found here: http://www.w3.org/TR/CSP/

As it's currently implemented, flot requires unsafe-inline styles due to the recurring uses of style="..." throughout the javascript. This can either be resolved through issue 748 or by using javascript to apply the styles directly.

If the enhancement detailed in issue 748 is not desired I will write the patches required for CSP compliance using only javascript.

Original issue: http://code.google.com/p/flot/issues/detail?id=749

@dnschnur

This comment has been minimized.

Show comment
Hide comment
@dnschnur

dnschnur Sep 28, 2012

Member

From anthonyr...@gmail.com on August 31, 2012 22:11:17
This would also be addressed by Issue 519, which could be considered an opposite of issue 748, and possibly more preferable.

Member

dnschnur commented Sep 28, 2012

From anthonyr...@gmail.com on August 31, 2012 22:11:17
This would also be addressed by Issue 519, which could be considered an opposite of issue 748, and possibly more preferable.

@dnschnur

This comment has been minimized.

Show comment
Hide comment
@dnschnur

dnschnur Sep 28, 2012

Member

From dnsch...@gmail.com on September 07, 2012 21:46:50
Accepted, but classifying as an enhancement, since this is currently far from required. May merge into issue 748 as necessary.

Member

dnschnur commented Sep 28, 2012

From dnsch...@gmail.com on September 07, 2012 21:46:50
Accepted, but classifying as an enhancement, since this is currently far from required. May merge into issue 748 as necessary.

@anthonyryan1

This comment has been minimized.

Show comment
Hide comment
@anthonyryan1

anthonyryan1 Jan 7, 2013

Contributor

Sorry about the delay here, somewhere in the migration from code.google to github I lost track of this issue, and didn't remember it's existence until I was about to file this bug all over again with a pull request.

I've refactored bits of insertLegend() & drawLabel() to use jQuery to construct the legend, rather than using "style=" which isn't valid in some strict CSP rulesets.

Everything pertaining to the core jQuery was fixed in 1.8.0 ( http://bugs.jquery.com/ticket/11249 ), and excanvas doesn't require fixing since there is currently no browser that doesn't support canvas but does support CSP.

I'll attach a pull request to this bug shortly, I just want to finish testing for edge cases breaking first.

Contributor

anthonyryan1 commented Jan 7, 2013

Sorry about the delay here, somewhere in the migration from code.google to github I lost track of this issue, and didn't remember it's existence until I was about to file this bug all over again with a pull request.

I've refactored bits of insertLegend() & drawLabel() to use jQuery to construct the legend, rather than using "style=" which isn't valid in some strict CSP rulesets.

Everything pertaining to the core jQuery was fixed in 1.8.0 ( http://bugs.jquery.com/ticket/11249 ), and excanvas doesn't require fixing since there is currently no browser that doesn't support canvas but does support CSP.

I'll attach a pull request to this bug shortly, I just want to finish testing for edge cases breaking first.

@anthonyryan1

This comment has been minimized.

Show comment
Hide comment
@anthonyryan1

anthonyryan1 Nov 10, 2013

Contributor

This issue can be closed.

Contributor

anthonyryan1 commented Nov 10, 2013

This issue can be closed.

@dnschnur dnschnur closed this Nov 10, 2013

@ghost ghost assigned dnschnur Nov 10, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment