Per #897 , plotly will not be 100% compatible with a strict Content Security Policy concerning script-src (i.e. without unsafe-efal).

But it's possible to use it with a strict policy, only some methods are not available: for example the basic bundle works with if we avoid Plotly.d3.csv (cf #897 (comment))

The documentation should highlight these limitation, because once a website starts using a method not compatible with a strong CSP, it will be really difficult to set-up that policy in the future, thus weakening the security of that website. People should be aware of that trade-off, and know which methods they can use to avoid that pitfall.