kgabryje commented on issue #24597:
URL: https://github.com/apache/superset/issues/24597#issuecomment-1623892031
Thank you for opening this ticket! The source of the problem lies in
`flask-appbuilder` code - I will work on on the fix there.
As an interim solution, I suggest using the following CSP config (please
note that it uses `unsafe-inline` directive for script sources, which lowers
the security):
```
TALISMAN_CONFIG = {
"content_security_policy": {
"default-src": ["'self'"],
"img-src": ["'self'", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'",
"https://api.mapbox.com";,
"https://events.mapbox.com";,
],
"object-src": "'none'",
"style-src": ["'self'", "'unsafe-inline'"],
"script-src": ["'self'", "'unsafe-inline'"],
},
"force_https": False,
}
```
(Make sure that `content_security_policy_nonce_in` is removed)
Alternatively, you can disable Talisman by setting `TALISMAN_ENABLED = False`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
