Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Nivo doesn't work with CSP policy unsafe-eval

See original GitHub issue

First of all: thanks for a great package!

See this as a bug/feature request/friendly reminder for future versions.

Nivo’s dependency react-spring/core has an unsafe eval (https://github.com/pmndrs/react-spring/issues/1423) that causes pages with nivo to not render.

Describe/explain the bug When rendering nivo charts, exception is thrown if CSP policy unsafe-eval isn’t allowed.

To Reproduce

Steps to reproduce the behavior:

  1. Create a simple React project with nivo newer than 65
  2. Create a server that sets sensible CSP defaults:
const express = require('express');
const helmet = require('helmet');

const server = express();

server.use(compression());
server.use(
    helmet({
        contentSecurityPolicy: {
            directives: {
                ...helmet.contentSecurityPolicy.getDefaultDirectives(),
            },
        },
    })
);

server.use('/public', express.static('public'));

server.listen(port, function () {
    console.log('Listening on port ' + port);
});

Expected behavior Server should be able to render the page.

Actual behavior

Server won’t send the bundled files.

Screenshots image

Additional context

Perhaps downgrade to a version of @react-spring/core before this issue was introduced - or keep this as a reminder to update once https://github.com/pmndrs/react-spring/issues/1423 is resolved. Nivo v. 65 works fine, so I’ll keep to that for now.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7

github_iconTop GitHub Comments

10reactions
eranelbazcommented, Jun 15, 2021

Hey! We are using nivo to render graphs in our application, and we encounter this problem daily and it affect our users…

can you guys release version of nivo that include this pull request? Thanks!

@wyze

4reactions
wyzecommented, Jun 16, 2021

I’ll shoot for next week after I return from vacation.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Content-Security-Policy - HTTP - MDN Web Docs
Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure...
Read more >
Strict CSP - Content Security Policy
'unsafe-eval' allows the application to use the eval() JavaScript function. This reduces the protection against certain types of DOM-based XSS bugs, but makes ......
Read more >
Content Security Policy (CSP) Bypass - HackTricks
unsafe-eval: This allows the use of eval() and similar methods for creating code from strings. This is not a safe practice to include...
Read more >
Content Security Policy | The GitHub Blog
We've started rolling out a new security feature called “Content Security Policy” or CSP. As a user, it will better protect your account ......
Read more >
CSP - Alpine.js
log()" , it needs to rely on utilities that violate the "unsafe-eval" content security policy. Under the hood, Alpine doesn't actually use eval()...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Colors from data not being displayed in Nivo ResponsiveHeatMap

Next page

Cant install using npm - broken dependency tree (@nivo/pie v0.67.0)