Title: Improve CSP Documentation & Consider Full CSP Compliance in Plotly.js

Description

Plotly.js provides a strict CSP bundle for users with strong Content Security Policies (CSP), but clear documentation is missing on:

• What’s included/excluded in the strict bundle
• Known limitations and workarounds

Enterprise customers and community users (e.g., this forum post) have requested better CSP support and clarity. The strict bundle exists (plotly-strict.js), but its usage is not well-documented.

Proposed Actions

1. Document the strict bundle’s capabilities, limitations, and integration steps.
2. Provide examples for CSP-compliant usage in Dash & JS.
3. Evaluate full CSP compliance for Plotly.js instead of maintaining a separate bundle.
   • Internal enterprise customers have requested a fully CSP-compliant version.
   • Can the main plotly.js bundle be refactored to remove eval and inline scripts?

Why This Matters

• CSP restrictions block adoption in security-sensitive environments.
• Clear documentation would prevent confusion and production roadblocks.
• Growing demand from enterprises & community users for strict CSP support.

Can the team consider making the main bundle fully CSP-compliant? Are there technical challenges or funding requirements for this? 🚀