pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard
verified publisher icon pulsar-edit

Fix hydrogen plots e.g. plotly, altair

Open asiloisad opened this issue 11 months ago • 3 comments

The Content Security Policy block hydrogen-next interactive elements generated by e.g. plotly, altair. It's old issue inherited from old days of hydrogen https://github.com/nteract/hydrogen/issues/1896#issuecomment-600388705.

image

Reproduce steps:

  1. Install hydrogen or hydrogen-next
  2. Install Python, IPython & kernel
  3. Create Python file
  4. Paste example code 
    import altair as alt
import numpy as np
import pandas as pd

x = np.arange(100)
source = pd.DataFrame({
  'x': x,
  'f(x)': np.sin(x / 5)
})

alt.Chart(source).mark_line().encode(
    x='x',
    y='f(x)'
)
  5. Start kernel & run all

Tested in dev build.

asiloisad avatar Feb 11 '25 03:02 asiloisad

Don't let me forget about this PR… but it feels like a bit of a scary change, so I'd like to do a little bit of research to make sure this doesn't open a Pandora's Box somehow.

savetheclocktower avatar Feb 11 '25 17:02 savetheclocktower

I will be glad if this pr land and restore Vega plots https://github.com/atom/atom/pull/14761. A scripts-src has been explained here

asiloisad avatar Feb 12 '25 19:02 asiloisad

I don't think this is too scary. We have way more dangerous things that we support in Pulsar, and that's the price we pay for "hackability" (if that's even a word).

I am kind of curious why we can't plot in Hydrogen, because I do plot in my own plug-in Lazuli, but maybe I'm using a different way to evaluate code :thinking:

mauricioszabo avatar Apr 02 '25 17:04 mauricioszabo

I ran into an issue with CSP when I was trying to load a web worker by data URL. (At the time I was exploring alternatives to declaring new Worker and then having to construct a file: URL, since most examples expect you'll describe the worker URL relatively from the web page itself — awkward when static.html is in the app bundle and the worker could be in the user's ATOM_HOME folder.) I suspect this change would've fixed it.

I'd be open to liberalizing the CSP as long as we understand exactly why this isn't working now, and why adding these rules would fix that. It's also worth a small amount of brainstorming to think about how this could be used for evil — though similar attack vectors certainly exist now, since anything that can be done within a Node module can be done within Pulsar.

savetheclocktower avatar Nov 16 '25 20:11 savetheclocktower