rusackas opened a new pull request, #41129: URL: https://github.com/apache/superset/pull/41129
### SUMMARY Second half of #32110. The in-app telemetry pixel loaded from the **Scarf Gateway redirect** — `https://apachesuperset.gateway.scarf.sh/pixel/<id>/<version>/<sha>/<build>` — which Chrome/Brave/Firefox and some extensions flag as a tracking redirect, surfacing Superset as a "dangerous"/phishing site for affected users. Per Scarf's own guidance on the issue (cc @aviaviavi), point the pixel at the **native static endpoint** the gateway route already forwards to: ``` https://static.scarf.sh/a.png?x-pxid=0d3461e1-abb1-4691-a0aa-5ed50de66af0&version=…&sha=…&build=… ``` This is confirmed against the Scarf project config — the package route's "File location" is exactly this static URL, and `0d3461e1-…` is the same tracking-pixel ID already in the code. So: - **Same pixel, same telemetry.** Identical ID; `version`/`sha`/`build` are preserved (now query params instead of path segments). No data dimension is lost. - **No redirect hop.** The browser hits `static.scarf.sh` directly, removing the gateway redirect that triggers the warnings. - **CSP tightened.** `static.scarf.sh` was already in the `img-src` allowlists, so the pixel keeps working. Since nothing in the browser loads from `apachesuperset.gateway.scarf.sh` anymore, this also drops that now-unused host from both `TALISMAN_CONFIG` / `TALISMAN_DEV_CONFIG` `img-src` lists and the security-docs example. (The `apachesuperset.docker.scarf.sh` image-pull gateway is a different host and is untouched.) > **Stacked on #41124** (the runtime opt-out half of #32110). Until that merges, the diff here will also show its commit; it'll narrow to just this change once #41124 lands. Happy to reorder/rebase if you'd prefer them merged in the other order. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A. Network behavior: - **Before:** `GET apachesuperset.gateway.scarf.sh/pixel/…` → 302 → `static.scarf.sh/a.png?…` - **After:** `GET static.scarf.sh/a.png?x-pxid=…&version=…&sha=…&build=…` (no redirect) ### TESTING INSTRUCTIONS - `npm run test -- TelemetryPixel` — asserts the pixel `src` now starts with `https://static.scarf.sh/`, carries the version/sha/build params, and that no `gateway.scarf.sh` image is emitted. - Manual: load any page with telemetry enabled and confirm the only Scarf request in the network tab is a direct `static.scarf.sh` hit with no redirect. ### ADDITIONAL INFORMATION - [x] Has associated issue: #32110 - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
