[GitHub] [superset] jgillick opened a new issue, #24597: OAuth login broken with Content Security Policy (likely caused by nonce formatting)

Wed, 05 Jul 2023 13:33:51 -0700 


jgillick opened a new issue, #24597:
URL: https://github.com/apache/superset/issues/24597

   (Version: latest, docker image: c23d0ee6153e)
   
   The OAuth login button (Google, in my case) does nothing and in the browser 
console the following error is displayed:
   
   > Refused to execute inline event handler because it violates the following 
Content Security Policy directive: "script-src 'self' 'strict-dynamic' 
'nonce-zxfr-QL5iUW2FZ0HmZqd-n1zO7yy1tRk'". Either the 'unsafe-inline' keyword, 
a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline 
execution. Note that hashes do not apply to event handlers, style attributes 
and javascript: navigations unless the 'unsafe-hashes' keyword is present.
   
   After rolling back to 2.1.0, it appears this could be due to the new `nonce` 
attribute added to all the assets. My theory is that it might have something to 
do with the extra space around the value. For example, in my case, the HTML 
looks like this:
   
   ```html
   <script src="/static/assets/theme.5fb6aaa7430ffb2cbd6c.entry.js" async 
nonce="
       
           k4R8NQQ9rQ8B9tFSoTQ_hBEvcPFH6AUC
       
   "></script>
   ```
   
   #### How to reproduce the bug
   
   1. Using latest docker image (image ID: `c23d0ee6153e`)
   2. Setup OAuth authentication
   3. Load the login page: `/login/`
   4. View JS console. You should see Content Security Policy errors
   5. Click the login button
   6. Nothing happens. A new error might appear in te JS console.
   
   ### Expected results
   
   Clicking the login button should initiate the OAuth redirect login flow.
   
   ### Actual results
   
   Nothing happens
   
   #### Screenshots
   
   <img width="2107" alt="Screenshot 2023-07-05 at 1 26 50 PM" 
src="https://github.com/apache/superset/assets/35894/846f2d66-0163-4226-802e-fb328062e2eb";>
   
   ### Environment
   
   (please complete the following information):
   
   - browser type and version: Chrome 114.0.5735.198
   - superset version: 0.0.0-dev, docker latest: c23d0ee6153e
   - python version: `3.9.17`
   
   ### Checklist
   
   Make sure to follow these steps before submitting your issue - thank you!
   
   - [x] I have checked the superset logs for python stacktraces and included 
it here as text if there are any.
   - [x] I have reproduced the issue with at least the latest released version 
of superset.
   - [x] I have checked the issue tracker for the same issue and I haven't 
found one similar.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to