MENU
.net Powerful JavaScript charts
About
RGraph is a JavaScript charts library based on HTML5 SVG and canvas. RGraph is mature (over 18 years old) and has a wealth of features making it an ideal choice to use for showing charts on your website.

More »

 

Version 7.20
Version 7.20 (released in June 2026) is the latest version of RGraph and the major change in this version is an update to the default values of properties making for better looking charts without having to set any properties. Read more about this and other changes in the changelog.

Download »

 

Download
Get the latest version of RGraph (version 7.20, 9th June 2026) from the download page. You can read the changelog here. There's also older versions available, minified files and links to cdnjs.com hosted libraries.

Download »

 

Latest forum posts
These are the latest support forum posts that have been posted or updated.

16th June, Rachel
I have a question about the 3D Bar chart
12th June, Marco
Should I use SVG or canvas for the charts on my website?
9th June, Richard
New version of RGraph: version 7.20
3rd June, Patrick
Question about installing RGraph
1st June, Ouja
How do I add a click event to a bar in my Bar chart?


Support forum »

 

License
RGraph can be used for free under the GPL or if that doesn't suit your situation there's an inexpensive (£129) commercial license available.

More »

Tooltips fail in 'style-src' when applying Content-Security-Policy


Posted by Alek at 20:46 on Sunday 17th April 2022 [link]
Hi Richard,
I apply CSP to the header responses, like "style-src 'self'" and since we do not allow any inline styling I've noticed that script fails the policy on line 794: tooltipObj.innerHTML = args.text;
I use standard tooltips with no style modifications
args.text value is "'MY VALUE GOES HERE FOLLWED BY RGRAPH STYLE
<div id="RGraph_tooltipsPointer" style="background-color:black; color: transparent;position:absolute;bottom:-5px;left:50%;transform:translateX(-50%) rotate(45deg);width:10px;height:10px"></div>'"

Do you have any suggestions

Thank you
Alek

Posted by Richard at 21:08 on Sunday 17th April 2022 [link]
You could make an exception for the page that uses RGraph tooltips.

According to this docs page:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

You can set an option on the header that allows the use of inline styles. Here's what it says:

To allow inline styles, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block can be specified.

So the example that it gives is this:

Content-Security-Policy: style-src 'unsafe-inline';

Also, another way might be to turn off tooltip pointers. This would of course mean that you don't get the pointer triangle at the bottom of tooltips but if you can live without them then this may work well also.

To do this set the tooltipsPointer option to false.

Posted by Alek at 04:05 on Monday 18th April 2022 [link]
Unfortunately 'unsafe-inline' is not an option, but tooltipsPointer: false works
There could be another solution: use of styles from css file and include it as a class
Thank you!

Posted by Richard at 10:17 on Monday 18th April 2022 [link]
Great. I'm now going to change from setting the styles inline and relying on .innerHTML, to set them separately after the DIV has been added to the DOM, like this:

pointerObj.style.backgroundColor = 'black';
pointerObj.style.color         = 'transparent';
pointerObj.style.position        = 'absolute';
// ... etc
Which works when the style-src CSP option is in use. So try version 6.08 (whenever I get around to releasing it!) and see if that works better for you..

Posted by Alek at 20:25 on Monday 18th April 2022 [link]
Sounds good
Thank you for looking into it

[Replies are closed]