Skip to content

Fix hydrogen plots e.g. plotly, altair #1212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: updated-latest-electron
Choose a base branch
from
Open

Fix hydrogen plots e.g. plotly, altair #1212

wants to merge 1 commit into from

Conversation

@asiloisad
Copy link
Contributor

@asiloisad asiloisad commented Feb 11, 2025
edited
Loading

The Content Security Policy block hydrogen-next interactive elements generated by e.g. plotly, altair. It's old issue inherited from old days of hydrogen nteract/hydrogen#1896 (comment).

image

Reproduce steps:

  1. Install hydrogen or hydrogen-next
  2. Install Python, IPython & kernel
  3. Create Python file
  4. Paste example code 
    import altair as alt
import numpy as np
import pandas as pd

x = np.arange(100)
source = pd.DataFrame({
  'x': x,
  'f(x)': np.sin(x / 5)
})

alt.Chart(source).mark_line().encode(
    x='x',
    y='f(x)'
)
  5. Start kernel & run all

Tested in dev build.

@asiloisad asiloisad mentioned this pull request Feb 11, 2025
Closed
@savetheclocktower
Copy link
Contributor

savetheclocktower commented Feb 11, 2025

Don't let me forget about this PR… but it feels like a bit of a scary change, so I'd like to do a little bit of research to make sure this doesn't open a Pandora's Box somehow.

@asiloisad
Copy link
Contributor Author

asiloisad commented Feb 12, 2025
edited
Loading

I will be glad if this pr land and restore Vega plots atom/atom#14761. A scripts-src has been explained here

@mauricioszabo
Copy link
Contributor

mauricioszabo commented Apr 2, 2025

I don't think this is too scary. We have way more dangerous things that we support in Pulsar, and that's the price we pay for "hackability" (if that's even a word).

I am kind of curious why we can't plot in Hydrogen, because I do plot in my own plug-in Lazuli, but maybe I'm using a different way to evaluate code 🤔

@savetheclocktower
Copy link
Contributor

savetheclocktower commented Nov 16, 2025

I ran into an issue with CSP when I was trying to load a web worker by data URL. (At the time I was exploring alternatives to declaring new Worker and then having to construct a file: URL, since most examples expect you'll describe the worker URL relatively from the web page itself — awkward when static.html is in the app bundle and the worker could be in the user's ATOM_HOME folder.) I suspect this change would've fixed it.

I'd be open to liberalizing the CSP as long as we understand exactly why this isn't working now, and why adding these rules would fix that. It's also worth a small amount of brainstorming to think about how this could be used for evil — though similar attack vectors certainly exist now, since anything that can be done within a Node module can be done within Pulsar.

@asiloisad
Copy link
Contributor Author

asiloisad commented Nov 25, 2025

I have resolved my problem by redesigne component, but I will keep issue open until your problem isn't solved yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asiloisad @savetheclocktower @mauricioszabo