codeant-ai-for-open-source[bot] commented on PR #36685: URL: https://github.com/apache/superset/pull/36685#issuecomment-3662851202
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/36685/files#diff-b890c30abd26cc3ffd5783785d0ed95fcb834c5440ae9329c4cce42042217e56R25-R25'><strong>Overly permissive CSP</strong></a><br>The added CSP header leaves some very permissive directives in place (notably `frame-src *` and the presence of `'unsafe-inline'` / `'unsafe-eval'` under `default-src`). These allow broad framing and inline/eval script execution which increases risk of clickjacking and XSS exploitation. Consider tightening these directives or adding explicit, narrow directives for `script-src` and `frame-src`.<br> - [ ] <a href='https://github.com/apache/superset/pull/36685/files#diff-b890c30abd26cc3ffd5783785d0ed95fcb834c5440ae9329c4cce42042217e56R25-R25'><strong>Missing explicit script-src</strong></a><br>The header relies on `default-src` to govern scripts and includes `'unsafe-inline'` and `'unsafe-eval'`. It's safer to add an explicit `script-src` directive that enumerates trusted script origins (and avoids `unsafe-*` where possible) so that script policy is independent of other resource types.<br> - [ ] <a href='https://github.com/apache/superset/pull/36685/files#diff-b890c30abd26cc3ffd5783785d0ed95fcb834c5440ae9329c4cce42042217e56R25-R25'><strong>Regression risk for removed host</strong></a><br>Removing `*.run.app` may be correct, but there's a functional risk if any third-party resources (widgets, embeds, images) loaded from that host exist but were missed by the investigation. Ensure post-deploy verification covers all embeds/widgets (kapa.ai, Google Calendar, GitHub images) and automated tests or monitoring catch failures.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
