Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Content Security Policy

See original GitHub issue

Expected Behavior

Displays line chart.

Actual Behavior

Fails to render the line chart with the following errors:

[Vue warn]: It seems you are using the standalone build
of Vue.js in an environment with Content Security Policy
that prohibits unsafe-eval. The template compiler cannot
work in this environment. Consider relaxing the policy to
allow unsafe-eval or pre-compiling your templates into render functions.

[Vue warn]: failed to compile template:


    <div>
      <canvas :id="chartId" :width="width" :height="height" ref="canvas"></canvas>
    </div>
  

- invalid expression: :id="chartId"
- invalid expression: :width="width"
- invalid expression: :height="height"

TypeError: Cannot read property 'getContext' of undefined

Environment

OS: Ubuntu 14.04.
Node v7.2.1
NPM@4.0.5
vue@2.1.6
Webpack@2.2.0-rc.1
vue-chartjs@2.3.0
vue-loader@10.0.2

I’m using this Content-Security-Policy: Content-Security-Policy:base-uri 'self'; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src *; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'

All other parts of my application work as expected until I try to render a chart for the first time.

My LineChart component looks like this:

<script>
import { Line } from "vue-chartjs";

export default Line.extend({
    props: ["data", "options"],
    mounted () {
        this.renderChart(this.data, this.options);
    }
});
</script>

Issue Analytics

State:
Created 7 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

2reactions

syxolkcommented, Dec 21, 2016

Works great for my LineChart component, tested with the same CSP header in Chrome 55 and Firefox 50.

Thanks for fixing that so fast.

1reaction

aperturelesscommented, Dec 20, 2016

Should be fixed now in v2.3.1

Would be great if you could test it.

Top Results From Across the Web

Content Security Policy (CSP) - HTTP - MDN Web Docs

Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...

Content-Security-Policy Header CSP Reference & Examples

Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page)....

Content Security Policy - Wikipedia

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection ...

Content security policy - web.dev

Content Security Policy can significantly reduce the risk and impact of cross-site scripting attacks in modern browsers.

What is Content Security Policy (CSP) | Header Examples

A Content Protection Policy (CSP) is a security standard that provides an additional layer of protection from cross-site scripting (XSS), clickjacking, ...