sarutak opened a new pull request, #54315: URL: https://github.com/apache/spark/pull/54315
### What changes were proposed in this pull request? This PR fixes an issue that the WebUI has been broken since Content-Security-Policy was introduced in #54028 This is one example. <img width="1720" height="850" alt="broken-ui" src="https://github.com/user-attachments/assets/2ac1f328-c5d9-487e-a2e3-e216612a50f0"; /> The reason is that inline scripts, event handlers and styles are not allowed. To allow inline scripts, this PR adds `nonce`. https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/nonce#using_nonce_to_allowlist_a_script_element This workaround cannot be applied to inline styles so this PR applies `unsafe-inline`. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#unsafe-inline I think this compromise is OK because inline scripts are protected by nonce. Nonce cannot be applied to inline handlers too. So this PR modified rewrites them using `<script>` tag and nonce. ### Why are the changes needed? Bug fix. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? New test added mainly for nonce. I also confirmed that UI components are correctly rendered, no error message on browser-embedded developer console and mouse actions correctly works with simple RDD jobs and queries. ### Was this patch authored or co-authored using generative AI tooling? Kiro CLI / Opus 4.6 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
