Benji81 commented on issue #13533: URL: https://github.com/apache/superset/issues/13533#issuecomment-796939896
Yes @junlincc it is for deck.gl . I do not know if other charts allow embedded JS. **My pain points:** The ENABLE_JAVASCRIPT_CONTROLS option says that it is disabled by default because of XSS possibility if a bad user includes malicious JS in a chart. In my usage, I have some trusted users and some untrusted users. My trusted users are "power users" that need to add some JS in their charts for tooltip on map for example. They ask me if I can enable this feature. What I do not want is to also enable that feature for untrusted users because theoretically, with XSS, they could write a JS to stole session/cookie of any user that would display a malicious chart. It would be very dangerous if this session/cookies are those of a power user with extended permission or an admin. Add this as a permissions should solve this by adding this feature to a "role" for power user and not adding them to the "standard user" role ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
