CSP violation using Angular Viewer when report contain graphics

Stimulsoft Reports.ANGULAR discussion
Post Reply
victorscapin
Posts: 9
Joined: Wed Apr 05, 2017 2:41 pm

CSP violation using Angular Viewer when report contain graphics

Post by victorscapin »

Hello,

I'm using Stimulsoft Viewer for Angular, and i'm having issues when the report contains graphics due to CSP rules.
My CSP rule is a simple script-src 'self'.

Graphic not showing data:
report without unsafe-inline.png
report without unsafe-inline.png (62.83 KiB) Viewed 21572 times
Console Error:
csp violation.png
csp violation.png (41.75 KiB) Viewed 21572 times

When i add 'unsafe-inline', it's fine:
report with unsafe-inline.png
report with unsafe-inline.png (77.52 KiB) Viewed 21572 times


It's not a good practice to allow unsafe-inline in any html application. Is there a workaround or a fix to this issue?

Thanks
Top
Vadim
Posts: 438
Joined: Tue Apr 23, 2013 11:23 am

Re: CSP violation using Angular Viewer when report contain graphics

Post by Vadim »

Hello

From version 2024.4.1 you can use 'nonce-stichartanimation' to allow chart animation script
Top
victorscapin
Posts: 9
Joined: Wed Apr 05, 2017 2:41 pm

Re: CSP violation using Angular Viewer when report contain graphics

Post by victorscapin »

Hi Vadim

I will try that on next release. Thanks
Top
Lech Kulikowski
Posts: 7589
Joined: Tue Mar 20, 2018 5:34 am

Re: CSP violation using Angular Viewer when report contain graphics

Post by Lech Kulikowski »

Hello,

You are welcome.
Top
Antonin H.
Posts: 8
Joined: Fri Jan 03, 2025 3:23 pm

Re: CSP violation using Angular Viewer when report contain graphics

Post by Antonin H. »

Hello,
I have a question related to this thread. Stimulsoft for Angular lists CSP nonce support among the changes in some versions from 2024. How do I take advantage of this nonce support, when using the Stimulsoft Designer for Angular? (version 25.1 or newer).
Maybe there is a simple configuration that I am missing.

Could you please provide a short explanation and an example?
(Like what would be the entry point to pass a nonce number value, or how to configure nonce being added to script tags, or what CSP source values for 'script-src, 'image-src' etc. I need to allow in my headers in order for Designer to fully work (except 'unsafe-inline').

Thank you and have a nice day.
Top
Vadim
Posts: 438
Joined: Tue Apr 23, 2013 11:23 am

Re: CSP violation using Angular Viewer when report contain graphics

Post by Vadim »

Hello

Designer for Angular does not support CSP nonce. (only Angular Viewer)
Top
Antonin H.
Posts: 8
Joined: Fri Jan 03, 2025 3:23 pm

Re: CSP violation using Angular Viewer when report contain graphics

Post by Antonin H. »

Hello,
thank you for the response.
To be honest, from the outside/customer perspective I don't understand why the CSP support for the viewer and not for the designer, because that means that while wanting to use what is arguably the more crucial part of the Stimulsoft experience (to even create reports in the first place), it is not possible to do it in a secure way that would for example score well during application security audit.

Is this CSP nonce feature (or any way to include the scripts and styles without having to allow 'unsafe-inline') considered for some future Stimulsoft release?

Thank you in advance for a response and have a nice day.
Top
Post Reply

Return to “Stimulsoft Reports.ANGULAR”