Jaszkowic opened a new issue, #24947: URL: https://github.com/apache/superset/issues/24947
### How to reproduce the bug - Prepare dataset with "lat", "lng" columns - Create a `deck.gl Scatterplot` chart -> Rendering on Map works fine - In the "Advanced" section, add a "Javascript Data Interceptor" function - Update chart ### Expected results The render on the map still works fine without any modifications to CSP directives ### Actual results Error thrown in the console: > Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-y8RSRvMUO3pXJ4LbJ-H3DScTT9JYDqJf'". #### Screenshots  ### Environment (please complete the following information): - browser type and version: Chrome Version 115.0.5790.114 - superset version: master branch on commit `764f0f79ca636d50e7660cdfe5975c881df6c024` with unchanged `docker-compose-non-dev.yml` and `SUPERSET_ENV = production` and `FLASK_ENV = production` environment value. Deployed with `docker-compose`. ### Checklist Make sure to follow these steps before submitting your issue - thank you! - [x] I have checked the superset logs for python stacktraces and included it here as text if there are any. - [x] I have reproduced the issue with at least the latest released version of superset. - [x] I have checked the issue tracker for the same issue and I haven't found one similar. ### Additional context Talisman / CSP has been enabled by default here: https://github.com/apache/superset/pull/24262 , documentation says: > Superset needs the `style-src unsafe-inline` CSP directive in order to operate. Documentation does not say anything about a needed `unsafe-eval` directive. However, it seems at least for the `deck.gl Scatterplot` chart to work properly with a "Javascript Data Interceptor" set, the Talisman config needs the `unsafe-eval` directive on "script-src": ``` TALISMAN_CONFIG = { "content_security_policy": { "default-src": ["'self'"], "img-src": ["'self'", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": [ "'self'", "https://api.mapbox.com";, "https://events.mapbox.com";, ], "object-src": "'none'", "style-src": ["'self'", "'unsafe-inline'"], "script-src": ["'self'", "'strict-dynamic'", "'unsafe-eval'"], }, "content_security_policy_nonce_in": ["script-src"], "force_https": False, } ``` I am not sure if this is a bug in deck.gl Scatterplot or if it is okay to set the `unsafe-eval` directive in the TALISMAN_CONFIG. Thanks for your help! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
