Tooltips fail in 'style-src' when applying Content-Security-Policy
Posted by Alek at 20:46 on Sunday 17th April 2022[link]
I apply CSP to the header responses, like "style-src 'self'" and since we do not allow any inline styling I've noticed that script fails the policy on line 794: tooltipObj.innerHTML = args.text;
I use standard tooltips with no style modifications
args.text value is "'MY VALUE GOES HERE FOLLWED BY RGRAPH STYLE
<div id="RGraph_tooltipsPointer" style="background-color:black; color: transparent;position:absolute;bottom:-5px;left:50%;transform:translateX(-50%) rotate(45deg);width:10px;height:10px"></div>'"
Do you have any suggestions
Posted by Richard at 21:08 on Sunday 17th April 2022[link]
You could make an exception for the page that uses RGraph tooltips.
Also, another way might be to turn off tooltip pointers. This would of course mean that you don't get the pointer triangle at the bottom of tooltips but if you can live without them then this may work well also.
To do this set the tooltipsPointer option to false.
Posted by Alek at 04:05 on Monday 18th April 2022[link]
Unfortunately 'unsafe-inline' is not an option, but tooltipsPointer: false works
There could be another solution: use of styles from css file and include it as a class
Posted by Richard at 10:17 on Monday 18th April 2022[link]
Great. I'm now going to change from setting the styles inline and relying on .innerHTML, to set them separately after the DIV has been added to the DOM, like this: