You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2023/01/13 01:46:35 UTC
[GitHub] [superset] reidab opened a new pull request, #22711: docs(security): clarify CSP requirements and provide example TALISMAN_CONFIG
reidab opened a new pull request, #22711:
URL: https://github.com/apache/superset/pull/22711
<!---
Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/
Example:
fix(dashboard): load charts correctly
-->
### SUMMARY
This is an attempt to provide some more clarity around the CSP requirements and to add a basic example `TALISMAN_CONFIG`.
I've been submitting docs updates for issues I hit during an initial deployment of Superset on Kubernetes. Upon deployment, I started seeing CSP warnings from the `CONTENT_SECURITY_POLICY_WARNING` setting in my logs, but the docs did not provide much information about what sort of CSP Superset requires in order to function.
I first tried a basic strict CSP of `default-src: 'self'; object-src: 'none'`. This resulted Superset's UI failing to run with a number of errors related to `unsafe-inline` and `unsafe-eval`. Adding those keywords to the basic policy allowed Superset's UI to operate in our deployment.
* Does this capture all the necessary requirements for Superset's CSP? Are there other considerations that should be highlighted?
* Is there any reason to break out individual CSP sections like `script-src` and `style-src` vs using `default-src` in the example? I'd favor simplicity as a starting point if there's no compelling reason to break them out.
### TESTING INSTRUCTIONS
Read the new docs.
* Does this seem like a reasonable description of the CSP requirements?
* Is the example given a reasonable default configuration?
### ADDITIONAL INFORMATION
<!--- Check any relevant boxes with "x" -->
<!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] michael-s-molina commented on pull request #22711: docs(security): clarify CSP requirements and provide example TALISMAN_CONFIG
Posted by GitBox <gi...@apache.org>.
michael-s-molina commented on PR #22711:
URL: https://github.com/apache/superset/pull/22711#issuecomment-1381885000
> Does this capture all the necessary requirements for Superset's CSP? Are there other considerations that should be highlighted?
Depending on the features one will use, there may be additional configurations:
- Some dashboards use the data protocol to load images and therefore need `"img-src": "'self' data:"`
- MapBox chart requires: `"worker-src": "'self' blob:"` and `"connect-src": "'self' https://api.mapbox.com https://events.mapbox.com"`
> Is there any reason to break out individual CSP sections like script-src and style-src vs using default-src in the example? I'd favor simplicity as a starting point if there's no compelling reason to break them out.
You should break only if you need to (see examples above).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] reidab commented on pull request #22711: docs(security): clarify CSP requirements and provide example TALISMAN_CONFIG
Posted by GitBox <gi...@apache.org>.
reidab commented on PR #22711:
URL: https://github.com/apache/superset/pull/22711#issuecomment-1382245534
@michael-s-molina thanks for the clarification and extra info! I've updated the branch to include all of these requirements.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] michael-s-molina merged pull request #22711: docs(security): clarify CSP requirements and provide example TALISMAN_CONFIG
Posted by GitBox <gi...@apache.org>.
michael-s-molina merged PR #22711:
URL: https://github.com/apache/superset/pull/22711
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org