I’ve checked other posts on the forum and it looks like compatibility with CSP was added in the 3.5 release:
https://canvasjs.com/forums/topic/content-security-policy-support/
However the latest version (we have just bought a licence and are using version v3.7.43 GA) is not fully compatible since it contains inline images. For example, when enabling the zoom / pan feature, the controls in the top-right corner are drawn as inline images using data:
-encoding, but this is blocked by our Content-Security-Policy: img-src 'self'
header.
Allowing all data:
sources in the CSP is not an option since this is a very wide rule, which would potentially open us up to XSS attacks, and there doesn’t seem to be a way to scope the permissions more tightly.
Can you please advise when this issue can be fixed?
Unfortunately we are not able to provide an example project because jsfiddle does not allow overriding the Content-Security-Policy header.