Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Basic charts with tooltips not compliant with strict styles CSP directive #19938

Open
keyonvandenelzen opened this issue May 15, 2024 · 2 comments
Open

[Bug] Basic charts with tooltips not compliant with strict styles CSP directive #19938

keyonvandenelzen opened this issue May 15, 2024 · 2 comments
Labels
bug en This issue is in English pending We are not sure about whether this is a bug/new feature.

Comments

@keyonvandenelzen
Copy link

Version

5.5.0 (.min.js)

Link to Minimal Reproduction

https://keyonvandenelzen.github.io/echarts-tooltip-csp-violation/

Steps to Reproduce

  1. Set CSP directive 'style-src' to 'self'
  2. Create a bar, line or pie chart (I used the basic examples for simplicity)
  3. Use any render mode (I used svg in my minimal reproduction)
  4. Configure the ECharts option to display a tooltip

Current Behavior

Strict style-src CSP directive is violated and therefore the tooltip is only partially styled.

Expected Behavior

Strict style-src CSP directive should not be violated.

Environment

- OS: Windows 11, Version 23H2, OS Build 22631.3447
- Browser: Chrome 124.0.6367.207
- Framework: vanilla JS

Any additional comments?

Similar issue has been reported previously. Used @undeletable's minimal reproduction and issue format as a basis for this one.
@echarts-bot echarts-bot bot added en This issue is in English pending We are not sure about whether this is a bug/new feature. labels May 15, 2024
@keyonvandenelzen
Copy link
Author

keyonvandenelzen commented May 16, 2024
edited
Loading

I have found a workaround for this issue. Using a custom tooltip formatter prevents inline styles from being used and thus the CSP directive is not violated.

@sammajeed
Copy link

I have found a workaround for this issue. Using a custom tooltip formatter prevents inline styles from being used and thus the CSP directive is not violated.

Apparently this workaround doesn't fix the issue. Browser still gives the warning about CSP inline-style

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug en This issue is in English pending We are not sure about whether this is a bug/new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sammajeed @keyonvandenelzen