Tooltips fail in 'style-src' when applying Content-Security-Policy - Official support forum | RGraph.net

Tooltips fail in 'style-src' when applying Content-Security-Policy


Posted by Alek at 20:46 on Sunday 17th April 2022 [link]
Hi Richard,
I apply CSP to the header responses, like "style-src 'self'" and since we do not allow any inline styling I've noticed that script fails the policy on line 794: tooltipObj.innerHTML = args.text;
I use standard tooltips with no style modifications
args.text value is "'MY VALUE GOES HERE FOLLWED BY RGRAPH STYLE
<div id="RGraph_tooltipsPointer" style="background-color:black; color: transparent;position:absolute;bottom:-5px;left:50%;transform:translateX(-50%) rotate(45deg);width:10px;height:10px"></div>'"

Do you have any suggestions

Thank you
Alek

Posted by Richard at 21:08 on Sunday 17th April 2022 [link]
You could make an exception for the page that uses RGraph tooltips.

According to this docs page:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

You can set an option on the header that allows the use of inline styles. Here's what it says:

To allow inline styles, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block can be specified.

So the example that it gives is this:

Content-Security-Policy: style-src 'unsafe-inline';

Also, another way might be to turn off tooltip pointers. This would of course mean that you don't get the pointer triangle at the bottom of tooltips but if you can live without them then this may work well also.

To do this set the tooltipsPointer option to false.

Posted by Alek at 04:05 on Monday 18th April 2022 [link]
Unfortunately 'unsafe-inline' is not an option, but tooltipsPointer: false works
There could be another solution: use of styles from css file and include it as a class
Thank you!

Posted by Richard at 10:17 on Monday 18th April 2022 [link]
Great. I'm now going to change from setting the styles inline and relying on .innerHTML, to set them separately after the DIV has been added to the DOM, like this:

pointerObj.style.backgroundColor = 'black';
pointerObj.style.color         = 'transparent';
pointerObj.style.position        = 'absolute';
// ... etc

Which works when the style-src CSP option is in use. So try version 6.08 (whenever I get around to releasing it!) and see if that works better for you..

Posted by Alek at 20:25 on Monday 18th April 2022 [link]
Sounds good
Thank you for looking into it

[Replies are now closed]