[I] Cached thumbnails not showing in browser due to CSP [superset]

Thu, 19 Oct 2023 00:00:32 -0700 


FiiL123 opened a new issue, #25698:
URL: https://github.com/apache/superset/issues/25698

   Cached thumbnails in Redis are not being show - we get only a white 
placeholder.
   The console show an error the showing that an image `blob: url` could not be 
show because it does not comply with `Content Security Policy directive: 
"img-src 'self' data:"`
   
   #### How to reproduce the bug
   
   1. Use default talisman settings
   2. Use cached thumbnails with redis
   3. Access superset with cached thumbnails
   
   ### Environment
   
   - superset version: `3.0.0`
   - python version: `3.10.13`
   - kubernetes deployment
   - feature flags:  `ALERT_REPORTS, THUMBNAILS, THUMBNAILS_SQLA_LISTENERS, 
ENABLE_TEMPLATE_PROCESSING, GENERIC_CHART_AXES, ALLOW_ADHOC_SUBQUERY, 
DASHBOARD_RBAC, EMBEDDED_SUPERSET`
   
   ### Checklist
   
   - [x] I have reproduced the issue with at least the latest released version 
of superset.
   - [x] I have checked the issue tracker for the same issue and I haven't 
found one similar.
   - [x] I have found a solution.
   
   ### How we solved it
   Firstly we tried `TALISMAN_ENABLED=False` flag in setting to confirm this is 
an issue. With CSP completely disabled thumbnails worked fine.
   
   Next we took a look to default settings in confing.py these are currently:
   ```
   TALISMAN_CONFIG = {
       "content_security_policy": {
           "default-src": ["'self'"],
           "img-src": ["'self'", "data:"],
           "worker-src": ["'self'", "blob:"],
           "connect-src": [
               "'self'",
               "https://api.mapbox.com";,
               "https://events.mapbox.com";,
           ],
           "object-src": "'none'",
           "style-src": ["'self'", "'unsafe-inline'"],
           "script-src": ["'self'", "'strict-dynamic'"],
       },
       "content_security_policy_nonce_in": ["script-src"],
       "force_https": False,
       }
   ```
   Finally: 
   We added `blob:` to image src making it `"img-src": ["'self'", 
"data:","blob:"]` retaining all CS policies. And the thumbnails were back on!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to