You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by "not1q84-1 (via GitHub)" <gi...@apache.org> on 2023/10/09 04:14:54 UTC

[I] Talisman Config not updated from superset_config.py [superset]

not1q84-1 opened a new issue, #25570:
URL: https://github.com/apache/superset/issues/25570

   When setting content-security-policy options through the superset_config file these are not accepted during startup
   
   I am running superset from scratch (3.0.0. installed via pipenv from pypi) und python3.10. my superset config file as dev environment
   
   #### How to reproduce the bug
   
   1. Go to superset_config and amend / change the talisman content-security policy with 3rd party websites like (I copied this also under TALISMAN_DEV_CONFIG):
   ```
   TALISMAN_CONFIG = {
       "content_security_policy": {
           "default-src": ["'self'"],
           "frame-src": ["'self'", "https://service.xxxx.com"]
           "img-src": ["'self'", "data:", "https://service.xxxx.com"],
           "worker-src": ["'self'", "blob:"],
           "connect-src": [
               "'self'",
               "https://api.mapbox.com",
               "https://events.mapbox.com",
           ],
           "object-src": "'none'",
           "style-src": [
               "'self'",
               "'unsafe-inline'",
               "https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css",
           ],
           "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
       },
       "content_security_policy_nonce_in": ["script-src"],
       "force_https": False,```
    ```   
   3. Start superset
   4. Create markdown chart with img-src / frame-src pointing to third party website
   <blockquote>
   
   ```
    <center>
       <img width = 20px style="padding-bottom:5px;padding-top:10px" src="data:image/png;base64....">
       </br>
       <img height = 70px src="https://service.xxxx.com/icons/Pfeil_oben_links.svg">
       <p style="font-size: 35px;font-weight:bold;padding-top:0px;padding-bottom:00px">-</p>
    </center>
   ```
   
   </blockquote>
   
   6. Load page
   7. Links are NOT loaded and browser console shows (directive in error message does NOTinclude changes to content-security-policy):
   ```
   Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data:".
   ```
   8. However **changing the config.py code directly can be used as a workaround**:
       1. change the superset/config.py file directly in the package directory. 
       2.  Repeat steps 2 & 4 with fully refreshing browser  - content is loaded
   
   ### Expected results
   
   content-security-policy should be read from the superset_config.py file and b e considered during startup
   
   ### Actual results
   
   settings are ignored and can only be changed in superset source code directly
   
   #### Screenshots
   
   If applicable, add screenshots to help explain your problem.
   
   
   ### Environment
   
   
   - browser type and version: Edge Version 117.0.2045.60 (64-Bit)
   - superset version: `3.0.0`
   - python version: `3.10.13`
   - node.js version: `node not installed`
   - any feature flags active:
   
   ### Checklist
   
   Make sure to follow these steps before submitting your issue - thank you!
   
   - [ x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
   - [ x] I have reproduced the issue with at least the latest released version of superset.
   - [ x] I have checked the issue tracker for the same issue and I haven't found one similar.
   
   ### Additional context
   
   Add any other context about the problem here.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "fzhan (via GitHub)" <gi...@apache.org>.

fzhan commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-2106478048

   @rusackas could you please kindly point to the manual where 'content_security_policy' and other TALISMAN_CONFIG kvs can be set using helm? I've got nowhere.
   
   Thanks,


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-2013244090

   TALISMAN_CONFIG is in there by default now, so it shouldn't be crashing (we would hear a LOT about that).  You should be able to set `img-src` to be `'self' data: <URL>` and it should work. Closing this since it's a config issue rather than a bug, but happy to revisit if needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "vglukhik (via GitHub)" <gi...@apache.org>.

vglukhik commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-1989226023

   same here. Version 3.1.0


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "sfirke (via GitHub)" <gi...@apache.org>.

sfirke commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-2108876010

   In general for every deployment method it would be nice if we added both instructions specific to that method for where to put superset_config.py (I have a PR open to make this clearer for PyPI) and a troubleshooting step for users trying to verify that file is getting picked up.
   
   I have sometimes advised people to enable a feature flag, then look to see if that corresponding functionality is enabled in the application. But we can do better and this comes up a lot.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "basarix (via GitHub)" <gi...@apache.org>.

basarix commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-1829867290

   Same here, but with the added bonus that including the TALISMAN_CONFIG block into my superset_config.py file (running a docker instalation of 3.0.1), makes superset crash on boot with a load of python errors.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-2108863546

   I don't know if there _is_ such a guide, actually. I also don't use Helm (I live in a luxurious world where @craig-rueda and @dpgaspar do the infra magic for Preset), but maybe @villebro or @nytai can suggest something. If this does get resolved, we'd love to see the addition of more details in the documentation if you're up for it (cc @sfirke).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "suryag1988 (via GitHub)" <gi...@apache.org>.

suryag1988 commented on issue #25570:
URL: https://github.com/apache/superset/issues/25570#issuecomment-1752641333

   Even I face the same problem... Unable to load image file in Superset 3 dashboard. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

Re: [I] Talisman Config not updated from superset_config.py [superset]

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas closed issue #25570: Talisman Config not updated from superset_config.py
URL: https://github.com/apache/superset/issues/25570


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org