Skip to content

fix: Replace inline cursor style with CSS classes to resolve CSP violation#177

Merged
Who-is-PS merged 4 commits intomainfrom
dev-v3-philosr-cartesian-chart-fix
Mar 5, 2026
Merged

fix: Replace inline cursor style with CSS classes to resolve CSP violation#177
Who-is-PS merged 4 commits intomainfrom
dev-v3-philosr-cartesian-chart-fix

Conversation

@Who-is-PS
Copy link
Member

@Who-is-PS Who-is-PS commented Mar 3, 2026
edited
Loading

Description

Using the CartesianChart component with the recommended Content Security Policy (style-src 'self') causes CSP violation errors when hovering over the chart:

Applying inline style violates the following Content Security Policy directive 'style-src 'self''.
Either the 'unsafe-inline' keyword, a hash, or a nonce is required to enable inline execution.

Root Cause

Several places in the codebase pass style: "pointer-events: none" as a string attribute to Highcharts' SVG renderer. Internally, Highcharts' _defaultSetter method calls element.setAttribute('style', 'pointer-events: none') on SVG elements — which is blocked by CSP style-src 'self' because setAttribute('style', ...) is treated as an inline style.

Solution

Replaced style: "pointer-events: none" with "pointer-events": "none" as a direct SVG presentation attribute. Since pointer-events is a valid SVG attribute, Highcharts now calls element.setAttribute('pointer-events', 'none') instead, which does not trigger CSP violations.

Also simplified the cursor style logic in chart-extra-pointer.tsx (note: container.style.cursor via CSSOM is not affected by CSP).

Changes

  • src/core/chart-api/chart-extra-tooltip.tsx — Replaced style: "pointer-events:none" with "pointer-events": "none"
  • src/internal/chart-styles.ts — Replaced style: "pointer-events: none" with "pointer-events": "none"
  • src/internal/components/series-marker/render-marker.tsx — Replaced both occurrences of style: "pointer-events: none" with "pointer-events": "none"
  • src/core/chart-api/chart-extra-pointer.tsx — Simplified cursor style logic (minor cleanup)

Related: AWSUI-61770

How has this been tested?

Review checklist

The following items are to be evaluated by the author(s) and the reviewer(s).

Correctness

  • Changes include appropriate documentation updates.
  • Changes are backward-compatible if not indicated, see CONTRIBUTING.md.
  • Changes do not include unsupported browser features, see CONTRIBUTING.md.
  • Changes were manually tested for accessibility, see accessibility guidelines.

Security

Testing

  • Changes are covered with new/existing unit tests?
  • Changes are covered with new/existing integration tests?

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@Who-is-PS Who-is-PS changed the title fix of cursor pointer fix: Replace inline cursor style with CSS classes to resolve CSP violation Mar 3, 2026
@Who-is-PS Who-is-PS marked this pull request as ready for review March 3, 2026 10:01
@Who-is-PS Who-is-PS requested a review from a team as a code owner March 3, 2026 10:01
@Who-is-PS Who-is-PS requested review from jperals and removed request for a team March 3, 2026 10:01
pan-kot
pan-kot reviewed Mar 4, 2026
View reviewed changes
src/core/chart-api/chart-extra-pointer.tsx Outdated
if (container) {
const isHovered = !!(this.hoveredPoint || this.hoveredGroup);
container.classList.toggle(styles["cursor-pointer"], isHovered);
container.classList.toggle(styles["cursor-default"], !isHovered);
Copy link
Member

@pan-kot pan-kot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why cursor-default is needed? Is it not enough to toggle cursor-pointer?

Copy link
Member Author

@Who-is-PS Who-is-PS Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cursor-default is unnecessary — removing the cursor-pointer class naturally falls back to the browser default. I'll simplify to just toggle cursor-pointer. Thanks!

@Who-is-PS Who-is-PS requested a review from pan-kot March 4, 2026 09:41
pan-kot
pan-kot previously approved these changes Mar 4, 2026
View reviewed changes
jperals
jperals previously approved these changes Mar 4, 2026
View reviewed changes
@Who-is-PS Who-is-PS added this pull request to the merge queue Mar 4, 2026
@SpyZzey SpyZzey removed this pull request from the merge queue due to a manual request Mar 4, 2026
@SpyZzey
Copy link
Member

SpyZzey commented Mar 4, 2026

How has this been tested?
From my understanding, container.style.cursor = value; (container is a HTMLDOMElement) shouldn't be affected by CSP (https://stackoverflow.com/a/51592893).

@SpyZzey SpyZzey self-requested a review March 4, 2026 10:50
@Who-is-PS
fix: resolve CSP violation caused by inline style attributes on SVG e…
ffe7e02 
…lements

When hovering over the chart, Highcharts' SVG renderer calls
element.setAttribute('style', ...) for SVG elements that have a
'style' string attribute. This violates Content Security Policy
when 'style-src' is set to 'self', because setAttribute('style', ...)
is treated as an inline style by the browser's CSP enforcement.

The fix replaces 'style: "pointer-events: none"' string attributes
with direct SVG presentation attributes ('pointer-events': 'none'),
which Highcharts passes to setAttribute('pointer-events', 'none')
instead — a valid SVG attribute that does not trigger CSP violations.

Files changed:
- src/core/chart-api/chart-extra-tooltip.tsx: tooltip track elements
- src/internal/chart-styles.ts: cursor line element
- src/internal/components/series-marker/render-marker.tsx: highlight markers

Also reverts the previous cursor CSS class approach, as
container.style.cursor (CSSOM manipulation) is not blocked by CSP.

Resolves: AWSUI-61770
@Who-is-PS Who-is-PS dismissed stale reviews from jperals and pan-kot via ffe7e02 March 4, 2026 11:12
@Who-is-PS Who-is-PS force-pushed the dev-v3-philosr-cartesian-chart-fix branch from aa24fab to ffe7e02 Compare March 4, 2026 11:12
@Who-is-PS
Copy link
Member Author

Who-is-PS commented Mar 4, 2026

How has this been tested? From my understanding, container.style.cursor = value; (container is a HTMLDOMElement) shouldn't be affected by CSP (https://stackoverflow.com/a/51592893).

Ah, the actual violation comes from style: "pointer-events: none" passed to Highcharts' SVG renderer, which internally calls element.setAttribute('style', ...) — that is blocked by CSP. The fix replaces it with "pointer-events": "none" as a direct SVG attribute.

@Who-is-PS Who-is-PS requested review from jperals and pan-kot March 4, 2026 17:23
@Who-is-PS Who-is-PS added this pull request to the merge queue Mar 5, 2026
Merged via the queue into main with commit b552724 Mar 5, 2026
45 of 46 checks passed
@Who-is-PS Who-is-PS deleted the dev-v3-philosr-cartesian-chart-fix branch March 5, 2026 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jperals jperals jperals approved these changes

@pan-kot pan-kot pan-kot approved these changes

@SpyZzey SpyZzey SpyZzey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Who-is-PS @SpyZzey @jperals @pan-kot