You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Uncaught EvalError: call to eval() blocked by CSP
js http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7383
__webpack_require__ http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7440
<anonymous> http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7523
<anonymous> http://localhost:8050/_dash-component-suites/dash/dash-renderer/build/dash_renderer.v2_0_0m1633506978.dev.js:7527
dash_renderer.v2_0_0m1633506978.dev.js:7383:1
Some cookies are misusing the recommended “SameSite“ attribute 2
Uncaught ReferenceError: DashRenderer is not defined
<anonymous> http://localhost:8050/:30
localhost:8050:30:16
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). dash_renderer.v2_0_0m1633506978.dev.js:7383
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). input.css:38:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). input.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). logout.css:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). logout.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). react-select@1.0.0-rc.3.min.css:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). react-select@1.0.0-rc.3.min.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). _datepicker.css:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). _datepicker.css:20:12
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). react-dates@20.1.0-fix.css:40:47
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). react-dates@20.1.0-fix.css:20:12
And the only way I could get them to work is by setting the content security policy like so:
The reason is that all of those files have either an Python eval() statement in them or, in the case of the stylesheets, are inserting style elements dynamically.
Expected behavior
Should be able to define CSP without having to use 'unsafe-eval' and 'unsafe-inline'
The text was updated successfully, but these errors were encountered:
dash itself (at least last time I checked, which was dash<2.0) is compatible with a strict CSP. I.e. you don't need unsafe-eval or unsafe-inline for the Dash framework itself, however if you e.g. use dcc (which most/all Dash apps will) you would as you describe need unsafe-eval (unless you use a smaller plotly.js bundle), together with unsafe-inline (coming both from the way dcc is currently built, and from plotly.js, as far as I recall)..
Describe your context
python 3.8
Describe the bug
I'm trying to setup a dash with flask along with talisman like so:
But the following errors occur in Firefox 92.0:
And the only way I could get them to work is by setting the content security policy like so:
Note the 'unsafe-eval' in the script-src directive and the 'unsafe-inline' in the style-src directive.
However this is bad
The reason is that all of those files have either an
Python eval()
statement in them or, in the case of the stylesheets, are inserting style elements dynamically.Expected behavior
Should be able to define CSP without having to use 'unsafe-eval' and 'unsafe-inline'
The text was updated successfully, but these errors were encountered: