ruslan-murzag opened a new issue, #30761:
URL: https://github.com/apache/superset/issues/30761
### Bug description
Images hosted on external URLs are not displaying in Apache Superset due to
Content Security Policy (CSP) restrictions. Despite configuring TALISMAN_CONFIG
to allow all sources, the browser console still reports CSP violations,
specifically blocking image loading from external URLs.
**Steps to Reproduce:**
1. Configure TALISMAN_CONFIG in superset_config.py with settings to allow
all sources:
```
TALISMAN_CONFIG = {
"content_security_policy": {
"default-src": ['*'],
"img-src": ['*'],
"worker-src": ['*'],
"connect-src": ['*'],
"object-src": ['*'],
"style-src": ['*'],
"script-src": ['*'],
},
"force_https": False,
"session_cookie_secure": False,
}
```
2. Attempt to display an image from an external URL in Superset.
The image should display as configured, following the img-src: '*' directive.
**Actual Behavior:**
The image does not load, and the browser console shows a CSP error similar
to the following:
```
Refused to load the image
'http://101.30.83.81:9000/images-superset/photo_2024-10-29_13-57-16.jpg'
because it violates the following Content Security Policy directive: "img-src
'self' blob: data: https://apachesuperset.gateway.scarf.sh
https://static.scarf.sh/";.
```
**Impact:**
This CSP restriction prevents images hosted on external URLs from being
displayed in Superset, limiting the ability to include necessary external
visual content.
**Request:**
An option to fully relax or disable CSP checks specifically for images would
provide flexibility, ensuring that Superset can display images hosted on
external URLs as intended.
**Additional Context:**
This issue specifically affects the display of externally hosted images
within Superset, which are essential for various dashboards and visualizations.
### Screenshots/recordings
### Superset version
4.0.2
### Python version
3.9
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [X] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [X] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [X] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
