Skip to content

CSP Compatibility #828

Closed
dnschnur opened this Issue Sep 28, 2012 · 4 comments

2 participants

@dnschnur
Flot member

Original author: anthonyr...@gmail.com (August 31, 2012 22:03:45)

Currently, as it stands, flot is not compatible with the strict modes of the new HTML5 Content Security Policy.

CSP is designed to impose strict restrictions on the scope of damage that can be done in the event of XSS and various other content injections. The full spec can be found here: http://www.w3.org/TR/CSP/

As it's currently implemented, flot requires unsafe-inline styles due to the recurring uses of style="..." throughout the javascript. This can either be resolved through issue 748 or by using javascript to apply the styles directly.

If the enhancement detailed in issue 748 is not desired I will write the patches required for CSP compliance using only javascript.

Original issue: http://code.google.com/p/flot/issues/detail?id=749

@dnschnur
Flot member

From anthonyr...@gmail.com on August 31, 2012 22:11:17
This would also be addressed by Issue 519, which could be considered an opposite of issue 748, and possibly more preferable.

@dnschnur
Flot member

From dnsch...@gmail.com on September 07, 2012 21:46:50
Accepted, but classifying as an enhancement, since this is currently far from required. May merge into issue 748 as necessary.

@anthonyryan1

Sorry about the delay here, somewhere in the migration from code.google to github I lost track of this issue, and didn't remember it's existence until I was about to file this bug all over again with a pull request.

I've refactored bits of insertLegend() & drawLabel() to use jQuery to construct the legend, rather than using "style=" which isn't valid in some strict CSP rulesets.

Everything pertaining to the core jQuery was fixed in 1.8.0 ( http://bugs.jquery.com/ticket/11249 ), and excanvas doesn't require fixing since there is currently no browser that doesn't support canvas but does support CSP.

I'll attach a pull request to this bug shortly, I just want to finish testing for edge cases breaking first.

This was referenced Jan 7, 2013
@anthonyryan1

This issue can be closed.

@dnschnur dnschnur closed this Nov 10, 2013
@dnschnur dnschnur was assigned Nov 10, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.