Common CSP Mistakes With Plotly.js and How to Fix Them
Plotly.js is great until you put a real Content Security Policy in front of it. I’ve seen this go the same way a bunch of times: charts work fine in local dev, someone adds a decent CSP in staging, and suddenly the graph is blank, console errors pile up, and the quick “fix” is to throw 'unsafe-inline' and 'unsafe-eval' into the policy. That usually gets the chart rendering again, but it also guts the point of having CSP. ...