Skip to content

Should the 'send to cloud' option be disabled by default? #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
th0ma5w opened this issue Mar 4, 2016 · 13 comments
Closed

Should the 'send to cloud' option be disabled by default? #316

th0ma5w opened this issue Mar 4, 2016 · 13 comments
Assignees
@alexcjohnson
Milestone
v1.43.0

Comments

@th0ma5w
Copy link

th0ma5w commented Mar 4, 2016
edited by etpinard
Loading

The CDN hosted version of the library includes the toolbar link to immediately copy the data elsewhere. It would be nice to use the CDN version without this seemingly insecure option that can be clicked accidentally. There does not seem to be a way to disable this option. The Codepen examples all use a custom build and not the CDN version, so this issue is not apparent on the examples.

Alternatively, perhaps hosting can be done at CDNJS or Google if this button is a condition of the cost of the CDN hosting.
@etpinard
Copy link
Contributor

etpinard commented Mar 4, 2016

Please search http://community.plot.ly/c/plotly-js for the answer.

@etpinard etpinard closed this as completed Mar 4, 2016
@th0ma5w
Copy link
Author

th0ma5w commented Mar 5, 2016

Okay cool! I found http://community.plot.ly/t/plotly-privacy-policy/303 which denotes how to disable this functionality. I will break out the security, privacy, and sales funnel issues into separate issues since they are not resolved by the community. Thanks again, I didn't even think to check the forum!

@etpinard etpinard changed the title CDN Version Copies Data Externally Should the 'send to cloud' option be disable by default? Mar 7, 2016
@etpinard etpinard changed the title Should the 'send to cloud' option be disable by default? Should the 'send to cloud' option be disabled by default? Mar 7, 2016
@etpinard
Copy link
Contributor

etpinard commented Mar 7, 2016

@th0ma5w issues

are all valid concerns. Thanks for reporting.

That said, from the perspective of this repo, they are all related to the same feature, So I merged the above three issues in this one. I hope you don't mind.

@etpinard etpinard reopened this Mar 7, 2016
@th0ma5w
Copy link
Author

th0ma5w commented Mar 7, 2016

Nope, don't mind. I thought perhaps there could be work on where the link points to to address some of these things individually? Anyway, makes sense to have it here. Plotly is so very wonderful and a powerful addition to the JS landscape. I can 100% see when the system was proprietary that the public sharing features were an integral part to the service, and even an absolutely wonderful idea for the concept of open data. Unfortunately not all data is open, and not all people immediately get some of the implications, at least in my opinion. I shared the library with some colleagues and afterwards noticed the button. I can of course tell them how to disable it, no big deal, but I wondered about the risk to the greater audience that may consume Plotly charts. Thanks for your work and putting up with my drama :P If I was a little more versed in the code base I could offer a commit. Perhaps it could just be a simple addition to the dictionary/map on the main object? Thank you so much!!

@etpinard
Copy link
Contributor

etpinard commented Mar 7, 2016

Unfortunately not all data is open, and not all people immediately get some of the implications, at least in my opinion.

That's a very good point. I personally agree with you. But Plotly isn't my company, so I can't guarantee an outcome for this issue nor any short-term action.

At the moment, the workaround of least-friction is:

// include the call below once per page:
Plotly.setPlotConfig({
  modeBarButtonsToRemove: ['sendDataToCloud']
});

// then all subsequent 
Plotly.plot('graph', data, layout);

// won't show the send data to cloud mode bar button

@etpinard etpinard added this to the v2.0.0 milestone Apr 25, 2016
@rwl rwl mentioned this issue May 27, 2016
Open
@nicolaskruchten
Copy link
Contributor

nicolaskruchten commented Nov 25, 2018
edited
Loading

A few updates on the status quo as of today, which differs somewhat from March 2016 when this issue was opened:

  • The button in question is present in the modebar by default, and upon mouseover says "Edit in Chart Studio".
  • When this button is clicked, the user's browser sends (over HTTPS) the chart specification to Plotly's Chart Studio Cloud, which then returns a prepopulated version of our chart editor available at https://plot.ly/create but this data is not persisted anywhere during this operation
  • The user can then edit the chart as desired, and has the option of saving to Plotly's servers, but this is a multi-click affair wherein the user must:
    1. have or create a Chart Studio Cloud account;
    2. log in or already be logged into said account;
    3. confirm the public/private settings on the plot being saved
  • All of our documentation including CodePens uses the same CDN-hosted library as we distribute elsewhere and has this button available by default, so this is just as apparent in the examples as it is in regular use
  • Disabling this button is now even simpler than when @etpinard posted above, it can be done inline with plot creation: Plotly.newPlot('divId', data, layout, {modeBarButtonsToRemove: ['sendDataToCloud']})
  • Because this issue is sometimes linked to alongside rhetorical questions like "I wonder if Plotly will ever take privacy and security seriously", I should add that Plotly does take both of these issues very seriously: among other industry-standard measures, we have an active security vulnerability bounty program

@th0ma5w
Copy link
Author

th0ma5w commented Nov 25, 2018

I will never use this in a corporate setting because the project insists on making available by default an option that sends all data across the public network. There is no way with this option enabled should anyone consider the product secure or private.

@nicolaskruchten nicolaskruchten mentioned this issue Dec 5, 2018
Closed
@alexcjohnson
Copy link
Collaborator

What we've been insisting on primarily is backward compatibility. This was originally linked to the v2.0 milestone, in recognition that we would like to change it but doing so can be considered a breaking change.

That said, in addition to the changes @nicolaskruchten points out above, plotly.js and its ecosystem have evolved in ways that both mitigate some of the original reasons to want this functionality, and strengthen the argument for removing it. So on balance we've become comfortable that the benefits of making this change in a minor release override our concerns about it being a breaking change. Scheduling it for inclusion in 1.43.

@alexcjohnson alexcjohnson modified the milestones: v2.0.0, v1.43.0 Dec 5, 2018
@alexcjohnson alexcjohnson self-assigned this Dec 5, 2018
@alexcjohnson alexcjohnson mentioned this issue Dec 5, 2018
Merged
@nicolaskruchten
Copy link
Contributor

(1.43.0 is out now out, so this button is gone by default on the CDN version)

@sorenwacker
Copy link

And how can we get it back? Cannot find a description anywhere.

@nicolaskruchten
Copy link
Contributor

you can set the showEditInChartStudio option to true in config: https://plotly.com/javascript/configuration-options/#display-edit-in-chart-studio-modebar-button

@sorenwacker
Copy link

And with plotly.py ? I tried finding it.

@nicolaskruchten
Copy link
Contributor

The same options work for Python, which you can pass in as documented here: https://plotly.com/python/configuration-options/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexcjohnson alexcjohnson

Labels
None yet
Projects
None yet
Milestone
v1.43.0
Development

No branches or pull requests
5 participants
@nicolaskruchten @th0ma5w @alexcjohnson @sorenwacker @etpinard