From 46c7cdbefa4e5ba58a0c7eed2af16dc65be217b4 Mon Sep 17 00:00:00 2001 From: Ruben Thoms Date: Thu, 19 Dec 2024 15:11:35 +0100 Subject: [PATCH 1/5] Enforcing React 18 in Dash and allowing `data:` in CSP `connect-src` --- webviz_config/_theme_class.py | 2 +- webviz_config/templates/copy_data_template.py.jinja2 | 2 ++ webviz_config/templates/webviz_template.py.jinja2 | 4 +++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py index 9ea9f24c..489c4ecb 100644 --- a/webviz_config/_theme_class.py +++ b/webviz_config/_theme_class.py @@ -12,7 +12,7 @@ def __init__(self, theme_name: str): self._csp = { "default-src": "'none'", - "connect-src": "'self'", + "connect-src": ["'self'", "data:"], "style-src": ["'self'", "'unsafe-inline'"], # [1] "script-src": ["'self'", "blob:", "'unsafe-eval'"], # [blob: 2] [eval: 3] "img-src": ["'self'", "data:", "blob:"], # [4] diff --git a/webviz_config/templates/copy_data_template.py.jinja2 b/webviz_config/templates/copy_data_template.py.jinja2 index 957d5330..0c3d8944 100644 --- a/webviz_config/templates/copy_data_template.py.jinja2 +++ b/webviz_config/templates/copy_data_template.py.jinja2 @@ -24,6 +24,8 @@ theme = webviz_config.WebvizConfigTheme("{{ theme_name }}") theme.from_json((Path(__file__).resolve().parent / "theme_settings.json").read_text()) theme.plotly_theme_layout_update({{ options.plotly_theme }}) +dash._dash_renderer._set_react_version("18.3.1") + app = dash.Dash() app.config.suppress_callback_exceptions = True diff --git a/webviz_config/templates/webviz_template.py.jinja2 b/webviz_config/templates/webviz_template.py.jinja2 index 4f3cbd9a..afe9c236 100644 --- a/webviz_config/templates/webviz_template.py.jinja2 +++ b/webviz_config/templates/webviz_template.py.jinja2 @@ -14,7 +14,7 @@ from pathlib import Path from uuid import uuid4 -from dash import html, dcc, Dash, Input, Output, callback, callback_context +from dash import html, dcc, Dash, Input, Output, callback, callback_context, _dash_renderer import webviz_core_components as wcc from flask_talisman import Talisman import webviz_config @@ -40,6 +40,8 @@ theme = webviz_config.WebvizConfigTheme("{{ theme_name }}") theme.from_json((Path(__file__).resolve().parent / "theme_settings.json").read_text()) theme.plotly_theme_layout_update({{ options.plotly_theme }}) +_dash_renderer._set_react_version("18.3.1") + app = Dash( name=__name__, external_stylesheets=theme.external_stylesheets, From c6ebadd3f6b7402c7ed1ea00cf545f65c43bc2ad Mon Sep 17 00:00:00 2001 From: Ruben Thoms Date: Tue, 7 Jan 2025 09:50:19 +0100 Subject: [PATCH 2/5] Added changes to changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba354227..3934b1af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [#655](https://github.com/equinor/webviz-config/pull/655) - Regression fix: Show filters in `TablePlotter` when using `lock` argument. ### Changed +- [#687](https://github.com/equinor/webviz-config/pull/687) - Enforce React 18 in Dash. +- [#687](https://github.com/equinor/webviz-config/pull/687) - Allow `data:` in `connect-src` CSP in order to enable loading of images from data strings. - [#648](https://github.com/equinor/webviz-config/pull/648) - Allow `blob:` in `script-src` CSP in order to enable web worker usage in Dash components. - [#652](https://github.com/equinor/webviz-config/pull/652) - Enabled support for LaTeX math/equations in markdown. - [#653](https://github.com/equinor/webviz-config/pull/653) - Reduce time for running `webviz --help` by lazy importing top level entrypoints. From e0213271bb04a56b83f24a98d8ed557aae61d328 Mon Sep 17 00:00:00 2001 From: Ruben Thoms Date: Tue, 7 Jan 2025 09:57:23 +0100 Subject: [PATCH 3/5] Removed `navigate-to` from CSP --- CHANGELOG.md | 2 +- webviz_config/_theme_class.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3934b1af..f1d3bc8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - [#687](https://github.com/equinor/webviz-config/pull/687) - Enforce React 18 in Dash. -- [#687](https://github.com/equinor/webviz-config/pull/687) - Allow `data:` in `connect-src` CSP in order to enable loading of images from data strings. +- [#687](https://github.com/equinor/webviz-config/pull/687) - Allow `data:` in `connect-src` CSP in order to enable loading of images from data strings. Removed `navigate-to` in CSP as it got deprecated. - [#648](https://github.com/equinor/webviz-config/pull/648) - Allow `blob:` in `script-src` CSP in order to enable web worker usage in Dash components. - [#652](https://github.com/equinor/webviz-config/pull/652) - Enabled support for LaTeX math/equations in markdown. - [#653](https://github.com/equinor/webviz-config/pull/653) - Reduce time for running `webviz --help` by lazy importing top level entrypoints. diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py index 489c4ecb..08fcf825 100644 --- a/webviz_config/_theme_class.py +++ b/webviz_config/_theme_class.py @@ -16,7 +16,6 @@ def __init__(self, theme_name: str): "style-src": ["'self'", "'unsafe-inline'"], # [1] "script-src": ["'self'", "blob:", "'unsafe-eval'"], # [blob: 2] [eval: 3] "img-src": ["'self'", "data:", "blob:"], # [4] - "navigate-to": "'self'", "base-uri": "'self'", "form-action": "'self'", "frame-ancestors": "'self'", # [5] From 966d1f01805fe3efc882c2b7bf3bcb6dce1e5d46 Mon Sep 17 00:00:00 2001 From: Ruben Thoms Date: Tue, 7 Jan 2025 10:20:06 +0100 Subject: [PATCH 4/5] Fixed tests --- webviz_config/testing/_composite.py | 2 +- webviz_config/testing/_webviz_ids.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webviz_config/testing/_composite.py b/webviz_config/testing/_composite.py index aa7966a7..b9d6cce2 100644 --- a/webviz_config/testing/_composite.py +++ b/webviz_config/testing/_composite.py @@ -70,7 +70,7 @@ def start_server(self, plugin: WebvizPluginABC, **kwargs: Any) -> None: def toggle_webviz_settings_drawer(self) -> None: """Open the plugin settings drawer""" - self.wait_for_element(WebvizIds.SETTINGS_DRAWER_TOGGLE_OPEN).click() + self.wait_for_element(WebvizIds.SETTINGS_DRAWER_TOGGLE).click() def toggle_webviz_settings_group(self, settings_group_id: str) -> None: """Open the respective settings group in the settings drawer""" diff --git a/webviz_config/testing/_webviz_ids.py b/webviz_config/testing/_webviz_ids.py index c7f76335..9b373afd 100644 --- a/webviz_config/testing/_webviz_ids.py +++ b/webviz_config/testing/_webviz_ids.py @@ -6,4 +6,4 @@ class WebvizIds(str, Enum): CONTENT_MANAGER = "webviz-content-manager" SETTINGS_DRAWER = "settings-drawer" PLUGINS_WRAPPER = "plugins-wrapper" - SETTINGS_DRAWER_TOGGLE_OPEN = ".WebvizSettingsDrawer__ToggleOpen" + SETTINGS_DRAWER_TOGGLE = ".WebvizSettingsDrawer__Toggle" From 549a2c51016f6830d73d084f2e1c6350e9dc277a Mon Sep 17 00:00:00 2001 From: Ruben Thoms Date: Tue, 7 Jan 2025 10:47:35 +0100 Subject: [PATCH 5/5] Ignoring shaky test `test_example_wlf_plugin.py` --- .github/workflows/webviz-config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/webviz-config.yml b/.github/workflows/webviz-config.yml index 7a1973e9..a20d3cde 100644 --- a/.github/workflows/webviz-config.yml +++ b/.github/workflows/webviz-config.yml @@ -73,7 +73,7 @@ jobs: - name: 🤖 Run tests run: | webviz preferences --theme default - pytest ./tests --headless --forked + pytest ./tests --headless --forked --ignore ./tests/test_example_wlf_plugin.py webviz docs --portable ./docs_build --skip-open webviz schema