korbit-ai[bot] commented on code in PR #34416: URL: https://github.com/apache/superset/pull/34416#discussion_r2244095602
########## docs/docs/configuration/theming.mdx: ########## @@ -87,8 +87,66 @@ 3. **Apply**: Assign themes to specific dashboards or configure instance-wide 4. **Iterate**: Modify theme JSON directly in the CRUD interface or re-import from the theme editor +## Custom Fonts + +Superset supports custom fonts through runtime configuration, allowing you to use branded or custom typefaces without rebuilding the application. + +### Configuring Custom Fonts + +Add font URLs to your `superset_config.py`: + +```python +# Load fonts from Google Fonts, Adobe Fonts, or self-hosted sources +CUSTOM_FONT_URLS = [ + "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap";, + "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap";, +] Review Comment: ### Unoptimized Font Loading <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? Loading multiple external font files synchronously can impact initial page load performance. ###### Why this matters Each font URL creates a separate HTTP request and blocks rendering until the fonts are loaded, potentially increasing Time to First Paint (TFP) and causing layout shifts. ###### Suggested change ∙ *Feature Preview* Add font-display: swap to the font URLs and consider combining multiple font requests into a single URL for Google Fonts. Example: ```python CUSTOM_FONT_URLS = [ "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap&display=swap"; ] ``` ###### Provide feedback to improve future suggestions [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5debeb4c-009b-4b63-9f7d-9ec437bd22f8/upvote) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5debeb4c-009b-4b63-9f7d-9ec437bd22f8?what_not_true=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5debeb4c-009b-4b63-9f7d-9ec437bd22f8?what_out_of_scope=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5debeb4c-009b-4b63-9f7d-9ec437bd22f8?what_not_in_standard=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5debeb4c-009b-4b63-9f7d-9ec437bd22f8) </details> <sub> 💬 Looking for more details? Reply to this comment to chat with Korbit. </sub> <!--- korbi internal id:197b9552-6f38-48fb-bc64-cd9193b39ec8 --> [](197b9552-6f38-48fb-bc64-cd9193b39ec8) ########## docs/docs/configuration/theming.mdx: ########## @@ -87,8 +87,66 @@ Restart Superset to apply changes. 3. **Apply**: Assign themes to specific dashboards or configure instance-wide 4. **Iterate**: Modify theme JSON directly in the CRUD interface or re-import from the theme editor +## Custom Fonts + +Superset supports custom fonts through runtime configuration, allowing you to use branded or custom typefaces without rebuilding the application. + +### Configuring Custom Fonts + +Add font URLs to your `superset_config.py`: + +```python +# Load fonts from Google Fonts, Adobe Fonts, or self-hosted sources +CUSTOM_FONT_URLS = [ + "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap";, + "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap";, +] + +# Update CSP to allow font sources +TALISMAN_CONFIG = { + "content_security_policy": { + "font-src": ["'self'", "https://fonts.googleapis.com";, "https://fonts.gstatic.com";], + "style-src": ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com";], + } +} Review Comment: ### Unsafe CSP Configuration <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? The Content Security Policy (CSP) configuration includes 'unsafe-inline' in style-src directive which weakens security by allowing inline styles. ###### Why this matters Allowing unsafe-inline in CSP negates many of the protections against Cross-Site Scripting (XSS) attacks as it permits the execution of inline styles from potentially malicious sources. ###### Suggested change ∙ *Feature Preview* Remove 'unsafe-inline' and instead use nonces or hashes for specific trusted inline styles if absolutely necessary: ```python TALISMAN_CONFIG = { "content_security_policy": { "font-src": ["'self'", "https://fonts.googleapis.com";, "https://fonts.gstatic.com";], "style-src": ["'self'", "https://fonts.googleapis.com";], } } ``` ###### Provide feedback to improve future suggestions [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/1e2e65f1-aae7-428c-80dd-834008219f14/upvote) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/1e2e65f1-aae7-428c-80dd-834008219f14?what_not_true=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/1e2e65f1-aae7-428c-80dd-834008219f14?what_out_of_scope=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/1e2e65f1-aae7-428c-80dd-834008219f14?what_not_in_standard=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/1e2e65f1-aae7-428c-80dd-834008219f14) </details> <sub> 💬 Looking for more details? Reply to this comment to chat with Korbit. </sub> <!--- korbi internal id:45730b5e-28bb-4acd-928a-2079a58ce750 --> [](45730b5e-28bb-4acd-928a-2079a58ce750) ########## docs/docs/configuration/theming.mdx: ########## @@ -87,8 +87,66 @@ 3. **Apply**: Assign themes to specific dashboards or configure instance-wide 4. **Iterate**: Modify theme JSON directly in the CRUD interface or re-import from the theme editor +## Custom Fonts + +Superset supports custom fonts through runtime configuration, allowing you to use branded or custom typefaces without rebuilding the application. + +### Configuring Custom Fonts + +Add font URLs to your `superset_config.py`: + +```python +# Load fonts from Google Fonts, Adobe Fonts, or self-hosted sources +CUSTOM_FONT_URLS = [ + "https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap";, + "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&display=swap";, +] + +# Update CSP to allow font sources +TALISMAN_CONFIG = { + "content_security_policy": { + "font-src": ["'self'", "https://fonts.googleapis.com";, "https://fonts.gstatic.com";], Review Comment: ### Missing Adobe Fonts CSP Configuration <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? The CSP configuration for Adobe Fonts is missing in the TALISMAN_CONFIG when discussing Adobe Fonts as a supported font source. ###### Why this matters Users attempting to use Adobe Fonts will experience font loading failures due to CSP restrictions blocking the Adobe Fonts domain. ###### Suggested change ∙ *Feature Preview* Add Adobe Fonts domain to the CSP configuration: ```python TALISMAN_CONFIG = { "content_security_policy": { "font-src": ["'self'", "https://fonts.googleapis.com";, "https://fonts.gstatic.com";, "https://use.typekit.net";], "style-src": ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com";, "https://use.typekit.net";], } } ``` ###### Provide feedback to improve future suggestions [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2c86d096-89f1-4859-99ec-e71d863df094/upvote) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2c86d096-89f1-4859-99ec-e71d863df094?what_not_true=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2c86d096-89f1-4859-99ec-e71d863df094?what_out_of_scope=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2c86d096-89f1-4859-99ec-e71d863df094?what_not_in_standard=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2c86d096-89f1-4859-99ec-e71d863df094) </details> <sub> 💬 Looking for more details? Reply to this comment to chat with Korbit. </sub> <!--- korbi internal id:94f34f16-8ab2-427b-8e30-1f6018f6f9ec --> [](94f34f16-8ab2-427b-8e30-1f6018f6f9ec) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
