dosubot[bot] commented on issue #30761: URL: https://github.com/apache/superset/issues/30761#issuecomment-2449147638
<!-- Answer --> A similar issue was discussed in a closed thread titled [Cached thumbnails not showing in browser due to CSP](https://github.com/apache/superset/issues/25698). The solution involved modifying the `img-src` directive in the Content Security Policy to include `blob:`, making it `"img-src": ["'self'", "data:", "blob:"]`. This change allowed cached thumbnails to display correctly. Additionally, this issue was addressed in version 3.0.1 of Superset <sup>[[1]](https://github.com/apache/superset/issues/25698)</sup>. In your case, it seems that despite setting `img-src` to `'*'`, the CSP is still enforcing restrictions. This might be due to a misconfiguration or an override elsewhere in the application. It's generally not recommended to use `'*'` for CSP directives due to security risks, as it allows content from any source, which can expose your application to vulnerabilities like XSS attacks <sup>[[2]](https://github.com/apache/superset/blob/master/docs/docs/security/security.mdx)</sup>. To troubleshoot, ensure that there are no other configurations or middleware that might be overriding your CSP settings. Additionally, consider specifying trusted domains explicitly in the `img-src` directive instead of using `'*'` to maintain security while allowing necessary external images. <!-- Dosu Comment Footer --> *To continue talking to [Dosu](https://dosu.dev), mention @dosu.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
