-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Enable CSP by default #24262
chore: Enable CSP by default #24262
Conversation
constructor(fn: Function) { | ||
super(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Calling new Function()
breaks the CSP rule that disallows using eval
in scripts.
Extending Function
is a nice hack that let's us make a class instance (in most cases it's a formatter) callable - for example instead of calling formatter.format(value)
we call formatter(value)
. Removing super()
does not break that behaviour while also letting us avoid calling Function constructor.
Codecov Report
@@ Coverage Diff @@
## master #24262 +/- ##
==========================================
+ Coverage 68.91% 68.97% +0.05%
==========================================
Files 1899 1901 +2
Lines 73843 73969 +126
Branches 8119 8119
==========================================
+ Hits 50892 51019 +127
+ Misses 20840 20839 -1
Partials 2111 2111
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 13 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Two things re: docs changes:
|
Well spotted @sfirke, thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
"script-src": ["'self'", "'strict-dynamic'"], | ||
}, | ||
"content_security_policy_nonce_in": ["script-src"], | ||
"force_https": False, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kgabryje curious why this force_https change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to limit the scope of the changes in this PR just to CSP - and force_https
was disabled by default so far (since Talisman was disabled by default)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with keeping this disabled by default - I would wager that by far the majority of prod Superset deployments terminate SSL/TLS on the LB.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, i just left one question. Thanks @kgabryje!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! One honest question and one potential improvement idea, LMKWYT?
"script-src": ["'self'", "'strict-dynamic'"], | ||
}, | ||
"content_security_policy_nonce_in": ["script-src"], | ||
"force_https": False, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with keeping this disabled by default - I would wager that by far the majority of prod Superset deployments terminate SSL/TLS on the LB.
superset/config.py
Outdated
# React requires `eval` to work correctly in dev mode | ||
TALISMAN_DEV_CONFIG = { | ||
"content_security_policy": { | ||
"default-src": ["'self'"], | ||
"img-src": ["'self'", "data:"], | ||
"worker-src": ["'self'", "blob:"], | ||
"connect-src": [ | ||
"'self'", | ||
"https://api.mapbox.com", | ||
"https://events.mapbox.com", | ||
], | ||
"object-src": "'none'", | ||
"style-src": ["'self'", "'unsafe-inline'"], | ||
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"], | ||
}, | ||
"content_security_policy_nonce_in": ["script-src"], | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't we set force_https: False
here, too? AFAIK it defaults to True
, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup nice catch!
talisman_config = ( | ||
self.config["TALISMAN_DEV_CONFIG"] | ||
if self.superset_app.debug | ||
else self.config["TALISMAN_CONFIG"] | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if it's a good idea to have separate dev and non-dev configs. Should these maybe be TALISMAN_DEFAULT_DEV_CONFIG
and TALISMAN_DEFAULT_PROD_CONFIG
, and only if TALISMAN_CONFIG
is undefined would we fall back to the default. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We must have "unsafe-eval" in dev mode - React and Webpack use it and there's no way around it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This reverts commit c3b5d72.
This reverts commit c3b5d72.
SUMMARY
This PR enables
TALISMAN_ENABLED
by default and provides a default content security policy config.Please keep in mind that this is a breaking change. If your Superset deployment loads additional scripts, loads images from external domains, performs HTTP requests to external domains, you need to adjust the default CSP config by adding external origins to appropriate CSP directives and/or mark the scripts with nonce as described in the updated docs.
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION