Page 1 of 1
CSP violation using Angular Viewer when report contain graphics
Posted: Mon Aug 26, 2024 5:15 pm
by victorscapin
Hello,
I'm using Stimulsoft Viewer for Angular, and i'm having issues when the report contains graphics due to CSP rules.
My CSP rule is a simple script-src 'self'.
Graphic not showing data:
- report without unsafe-inline.png (62.83 KiB) Viewed 25730 times
Console Error:
- csp violation.png (41.75 KiB) Viewed 25730 times
When i add 'unsafe-inline', it's fine:
- report with unsafe-inline.png (77.52 KiB) Viewed 25730 times
It's not a good practice to allow unsafe-inline in any html application. Is there a workaround or a fix to this issue?
Thanks
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Tue Aug 27, 2024 1:10 pm
by Vadim
Hello
From version 2024.4.1 you can use 'nonce-stichartanimation' to allow chart animation script
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Wed Aug 28, 2024 2:26 pm
by victorscapin
Hi Vadim
I will try that on next release. Thanks
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Thu Aug 29, 2024 4:50 pm
by Lech Kulikowski
Hello,
You are welcome.
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Tue Jan 13, 2026 7:57 am
by Antonin H.
Hello,
I have a question related to this thread. Stimulsoft for Angular lists CSP nonce support among the changes in some versions from 2024. How do I take advantage of this nonce support, when using the Stimulsoft Designer for Angular? (version 25.1 or newer).
Maybe there is a simple configuration that I am missing.
Could you please provide a short explanation and an example?
(Like what would be the entry point to pass a nonce number value, or how to configure nonce being added to script tags, or what CSP source values for 'script-src, 'image-src' etc. I need to allow in my headers in order for Designer to fully work (except 'unsafe-inline').
Thank you and have a nice day.
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Tue Jan 13, 2026 8:26 am
by Vadim
Hello
Designer for Angular does not support CSP nonce. (only Angular Viewer)
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Tue Jan 13, 2026 2:48 pm
by Antonin H.
Hello,
thank you for the response.
To be honest, from the outside/customer perspective I don't understand why the CSP support for the viewer and not for the designer, because that means that while wanting to use what is arguably the more crucial part of the Stimulsoft experience (to even create reports in the first place), it is not possible to do it in a secure way that would for example score well during application security audit.
Is this CSP nonce feature (or any way to include the scripts and styles without having to allow 'unsafe-inline') considered for some future Stimulsoft release?
Thank you in advance for a response and have a nice day.
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Wed Jan 14, 2026 11:11 am
by Lech Kulikowski
Hello,
We will consider adding this support for the designer and will let you know.
Thank you.
Re: CSP violation using Angular Viewer when report contain graphics
Posted: Thu Jan 15, 2026 10:18 am
by Lech Kulikowski
Hello,
Unfortunately, at the moment, despite all our efforts, there is no such possibility.
Thank you.