CSP directive needs 'unsafe-eval' to evaluate Deck.gl "Javascript Data Interceptor"

[Jaszkowic]

How to reproduce the bug

• Prepare dataset with "lat", "lng" columns
• Create a deck.gl Scatterplot chart -> Rendering on Map works fine
• In the "Advanced" section, add a "Javascript Data Interceptor" function
• Update chart

Expected results

The render on the map still works fine without any modifications to CSP directives

Actual results

Error thrown in the console:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-y8RSRvMUO3pXJ4LbJ-H3DScTT9JYDqJf'".

Screenshots

Environment

(please complete the following information):

• browser type and version: Chrome Version 115.0.5790.114
• superset version: master branch on commit 764f0f79ca636d50e7660cdfe5975c881df6c024 with unchanged docker-compose-non-dev.yml and SUPERSET_ENV = production and FLASK_ENV = production environment value. Deployed with docker-compose.

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Talisman / CSP has been enabled by default here: #24262 , documentation says:

Superset needs the style-src unsafe-inline CSP directive in order to operate.

Documentation does not say anything about a needed unsafe-eval directive. However, it seems at least for the deck.gl Scatterplot chart to work properly with a "Javascript Data Interceptor" set, the Talisman config needs the unsafe-eval directive on "script-src":

TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'strict-dynamic'", "'unsafe-eval'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
}

I am not sure if this is a bug in deck.gl Scatterplot or if it is okay to set the unsafe-eval directive in the TALISMAN_CONFIG.

Thanks for your help!

[qleroy]

I am experiencing the same type for Handlebars on the 3.0.0rc3.
It was working fine on 2.1.1.

[kim-larsh]

Also experiencing on handlebar charts in 3.0.0 and worked in 2.1

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-4LtoOfLG9FyQxTFtAg3XpkVBtPqO6CwI'".

Tried TALISMAN_CONFIG options as in the config.py file but did not work in superset_config.py

TALISMAN_ENABLED = False does work in superset_config.py but would prefer not to do that.

[edgars]

Is there any solution for it> I am using 3.1.1?

[jeverling]

Is there any solution for it> I am using 3.1.1?

Hi, the following config works around this issue for me:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "blob:", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
}

This is based on upstream config for 3.0.2, so you might want to check this config value for the version you're using, and adjust accordingly. The default is set in this file:

https://github.com/apache/superset/blob/master/superset/config.py#L1402

[rusackas]

This seems like a config issue more than a docs issue, but how would you propose resolving it? I don't think we should turn on unsafe-eval unless we really must. Maybe a documentation change or some notes in the config file would suffice? Unsafe eval is (as it says on the tin) not the safest thing. The DeckGL tooltips in their current state are not a secure feature, as stated in the code/config. I'm hoping to deprecate them as part of 5.0, in hopes that we can replace them with a less risky feature in Superset 5.0 or 6.0.

[kgabryje]

unsafe-eval is off by default for the reasons mentioned by @rusackas. If the features blocked by CSP configs are essential for you, and if you're fine with the security implications, you can add unsafe_eval to the config - it's the only workaround as of now.