Output of renderer 'notebook' violates Content Security Policy

## Setup description
We have plotly.py setup with `pio.renderers.default = "notebook"` and we use `nbconvert 6.5` to convert executed notebooks to HTML reports with input cells stripped out. These HTMLs are served by a simple node.js front end that has Content Security Policies for `script-src` setup due to security requirements.

## Issue description
The exported HTML contains inline script tags one of which has plotly.js and its dependencies. One of the dependencies seems to violate our `script-src` Content Security Policy as it is using `eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings` [Reference](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)

CSP Error from Chrome:

<ol class="tree-outline hide-selection-when-blurred issues" role="tree" tabindex="-1" style="box-sizing: border-box; min-width: 0px; min-height: 0px; padding: 0px; margin: 0px; z-index: 0; position: relative; overflow: auto; --issue-indent:8px; list-style-type: none; color: rgb(189, 198, 207); font-family: &quot;.SFNSDisplay-Regular&quot;, &quot;Helvetica Neue&quot;, &quot;Lucida Grande&quot;, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><li role="treeitem" class="issue parent expanded" aria-expanded="true" style="box-sizing: border-box; min-width: 0px; min-height: 16px; padding-top: 0px; padding-right: 8px; padding-bottom: 0px; padding-left: var(--issue-indent); overflow: hidden; flex: 0 0 auto; transition: background-color 0.2s ease 0s; border-top-color: ; border-top-style: ; border-right-color: ; border-right-style: ; border-bottom-color: ; border-bottom-style: ; border-left-color: ; border-left-style: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ; border-width: 0px; text-overflow: ellipsis; white-space: normal; position: relative; display: flex; align-items: center; background: var(--color-background);"><div class="header" style="box-sizing: border-box; min-width: 0px; min-height: 0px; display: flex; flex-direction: row; align-items: center; padding: 6px 0px; cursor: pointer; width: 1765.08px;"><div class="title" style="box-sizing: border-box; min-width: 0px; min-height: 0px; flex: 1 1 0%; font-size: 14px; color: var(--color-text-primary); font-weight: 450; user-select: text;">Content Security Policy of your site blocks the use of 'eval' in JavaScript`</div><devtools-hide-issues-menu style="box-sizing: border-box; min-width: 0px; min-height: 0px; display: block;"><button class="hide-issues-menu-btn" title="Hide issues" style="position: relative; display: flex; background-color: transparent; flex: 0 0 auto; align-items: center; justify-content: center; padding: 1px 4px; overflow: hidden; border-radius: 0px; border: none; --icon-color:var(--color-text-primary); opacity: 0.5;"><devtools-icon style="display: inline-block; white-space: nowrap;"><div class="icon-basic" style="width: 4px; height: 14px; display: block; background-image: url(&quot;devtools://devtools/bundled/devtools-frontend/front_end/Images/three_dots_menu_icon.svg&quot;); background-position: center center; background-repeat: no-repeat; background-size: 99%;"></div></devtools-icon></button></devtools-hide-issues-menu></div></li><ol class="children body issue-kind-page-error expanded" role="group" style="box-sizing: border-box; min-width: 0px; min-height: 0px; list-style-type: none; padding-left: calc(var(--issue-indent) + 43px); border-bottom: 1px solid var(--color-details-hairline-light); padding-top: 6px; position: relative; padding-bottom: 26px; padding-right: 8px; display: block;"><li role="treeitem" class="always-parent" style="box-sizing: border-box; min-width: 0px; min-height: 16px; text-overflow: ellipsis; white-space: normal; position: relative; display: flex; align-items: center;"><span class="tree-element-title" style="box-sizing: border-box; min-width: 0px; min-height: 0px;"></span><devtools-markdown-view style="box-sizing: border-box; min-width: 0px; min-height: 0px;"><div class="message" style="line-height: 20px; font-size: 14px; color: var(--color-text-secondary); margin-bottom: 4px; user-select: text;"><p style="margin-bottom: 16px; margin-block-start: 2px;">The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.</p><p style="margin-bottom: 16px; margin-block-start: 2px;">To solve this issue, avoid using<span> </span><code style="color: var(--color-text-primary); font-size: 12px; user-select: text; cursor: text; background: var(--color-background-elevation-1);">eval()</code>,<span> </span><code style="color: var(--color-text-primary); font-size: 12px; user-select: text; cursor: text; background: var(--color-background-elevation-1);">new Function()</code>,<span> </span><code style="color: var(--color-text-primary); font-size: 12px; user-select: text; cursor: text; background: var(--color-background-elevation-1);">setTimeout([string], ...)</code><span> </span>and<span> </span><code style="color: var(--color-text-primary); font-size: 12px; user-select: text; cursor: text; background: var(--color-background-elevation-1);">setInterval([string], ...)</code><span> </span>for evaluating strings.</p><p style="margin-bottom: 16px; margin-block-start: 2px;">If you absolutely must: you can enable string evaluation by adding<span> </span><code style="color: var(--color-text-primary); font-size: 12px; user-select: text; cursor: text; background: var(--color-background-elevation-1);">unsafe-eval</code><span> </span>as an allowed source in a<span> </span><code style="color: var(--color-text-primary); font-size: 12px; user-select: text; cursor: text; background: var(--color-background-elevation-1);">script-src</code><span> </span>directive.</p><p style="margin-bottom: 16px; margin-block-start: 2px;">⚠️ Allowing string evaluation comes at the risk of inline script injection.</p></div></devtools-markdown-view></li><li role="treeitem" class="always-parent parent expanded affected-resources-label" aria-expanded="true" style="box-sizing: border-box; min-width: 0px; min-height: 16px; margin-top: 5px; font-size: 10px; font-weight: 500; letter-spacing: 0.06em; text-transform: uppercase; color: var(--color-text-primary); display: flex; text-overflow: ellipsis; white-space: normal; position: relative; align-items: center;">AFFECTED RESOURCES</li><ol class="children expanded affected-resources" role="group" style="box-sizing: border-box; min-width: 0px; min-height: 0px; list-style-type: none; padding: 3px 0px 0px; position: relative; user-select: text; display: block;"><li role="treeitem" class="parent expanded" aria-expanded="true" style="box-sizing: border-box; min-width: 0px; min-height: 16px; text-overflow: ellipsis; white-space: normal; position: relative; display: flex; align-items: center; margin-top: 0px; padding: 2px 5px 0px; background: var(--color-background-elevation-0);"><span class="tree-element-title" style="box-sizing: border-box; min-width: 0px; min-height: 0px;"></span><div class="affected-resource-label" style="box-sizing: border-box; min-width: 0px; min-height: 0px; font-size: 14px; line-height: 20px; color: var(--color-text-primary); position: relative; cursor: pointer;">1 directive</div></li><ol class="children expanded" role="group" style="box-sizing: border-box; min-width: 0px; min-height: 0px; list-style-type: none; padding: 6px 0px 9px 5px; display: block; background: var(--color-background-elevation-0); margin-bottom: 10px;"><li role="treeitem" class="selected" tabindex="0" aria-selected="true" style="box-sizing: border-box; min-width: 0px; min-height: 16px; outline-width: 0px; text-overflow: ellipsis; white-space: normal; position: relative; display: flex; align-items: center; background: var(--legacy-focus-bg-color); border-radius: 2px; width: fit-content; padding-right: 3px;"><span class="tree-element-title" style="box-sizing: border-box; min-width: 0px; min-height: 0px;"></span>

Source Location | Directive | Status
-- | -- | --
report:14743 | script-src | blocked

</li></ol></ol></ol></ol>

<img width="1149" alt="Screen Shot 2022-05-19 at 8 10 12 AM" src="https://user-images.githubusercontent.com/1821869/169335291-bca036e5-9fdc-4f1e-9fad-1516b2ab3430.png">

## Ask
Is there a way to provide plotly.py the ability to use the [plotly.js strict bundle](https://github.com/plotly/plotly.js/blob/master/dist/README.md#plotlyjs-strict) and hence avoid having to use dependencies that violate CSP?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Output of renderer 'notebook' violates Content Security Policy #3739

Setup description

Issue description

Ask

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Output of renderer 'notebook' violates Content Security Policy #3739

Description

Setup description

Issue description

Ask

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions