mistaanthony opened a new issue #11713: URL: https://github.com/apache/incubator-superset/issues/11713
Using Superset frontend in environments that enforce strict content security policies, for example <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval' "> which blocks the use of inline css and JavaScript causes some elements not to be rendered, including data visulisations. Ref: https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful **Examples of the inline code are as follows:** ``` <div class="dataTables_scrollHeadInner" style="box-sizing: content-box; width: 756px; padding-right: 0px;"> <table class="table table-striped table-condensed table-hover dataTable no-footer" role="grid" style="margin-left:0px; width: 756px;"> <thead> <tr role="row"> <th class="sorting" title="Message Status" tabindex="0" aria-controls="DataTables_Table_1" rowspan="1" colspan="1" aria-label="Message Status: activate to sort column ascending" style="width:335px;">Message Status </th> <th class="sorting" title="count" tabindex="0" aria-controls="DataTables_Table_1" rowspan="1" colspan="1" aria-label="count: activate to sort column ascending" style="width: 152px;">count </th> <th class="sorting" title="% count" tabindex="0" aria-controls="DataTables_Table_1" rowspan="1" colspan="1" aria- label="% count: activate to sort column ascending" style="width: 194px;">% count </th> </tr> </thead> </table> </div> ``` **There are also inline functions on buttons such as the example below** ``` <a href="javascript:void(0)" class="btn btn-sm btn-default confirm" rel="tooltip" title="" onclick="var a = new AdminActions(); return a.execute_single_delete('/dashboard/delete/2','You sure you want to delete this item?');" data-original-title="Delete record"> <i class="fa fa-eraser"></i> </a> ``` ### Expected results Superset should be able to run in secure environments with strictly enforced policies. It should not have any inline JS or css, css should be class oriented and both css/js should be referenced in an external file. ### Actual results Superset UI loads, but it's not working, strict Content Security Policy will block inline styles and inline functions from executing. #### Screenshots <img width="1680" alt="Screen Shot 2020-11-16 at 13 48 37" src="https://user-images.githubusercontent.com/1929967/99277394-ab6ed300-2825-11eb-86f5-a5bf670839aa.png";> <img width="1385" alt="Screen Shot 2020-11-16 at 15 44 36" src="https://user-images.githubusercontent.com/1929967/99277292-8bd7aa80-2825-11eb-84fb-c85349525696.png";> #### How to reproduce the bug 1. Go to '...' 2. Click on '....' 3. Scroll down to '....' 4. See error ### Environment (please complete the following information): - superset version: `0.36.0` - python version: `3.6.0` - node.js version: `10-jessie` ### Checklist Make sure to follow these steps before submitting your issue - thank you! - [ ] I have checked the superset logs for python stacktraces and included it here as text if there are any. - [ ] I have reproduced the issue with at least the latest released version of superset. - [ ] I have checked the issue tracker for the same issue and I haven't found one similar. ### Additional context Add any other context about the problem here. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
![https://user-images.githubusercontent.com/1929967/99277394-ab6ed300-2825-11eb-86f5-a5bf670839aa.png"](https://user-images.githubusercontent.com/1929967/99277394-ab6ed300-2825-11eb-86f5-a5bf670839aa.png"){kind=link}
![https://user-images.githubusercontent.com/1929967/99277292-8bd7aa80-2825-11eb-84fb-c85349525696.png"](https://user-images.githubusercontent.com/1929967/99277292-8bd7aa80-2825-11eb-84fb-c85349525696.png"){kind=link}