dosubot[bot] commented on issue #36268: URL: https://github.com/apache/superset/issues/36268#issuecomment-3576471807
<!-- Greeting --> Hi @Gwildor! I'm [Dosu](https://go.dosu.dev/dosubot) and Iām helping the superset team. <!-- Answer --> Export to PDF in Superset can fail with a CSP error for dashboards containing images from external domains if the Content Security Policy (CSP) set by Talisman does not explicitly allow those domains. Even if you set `https:` in your CSP, it may not be broad enough for all external images. To resolve this, you can add the specific domain (e.g., `superset.apache.org`) to the `img-src` directive in your `TALISMAN_CONFIG`, or use a wildcard (`*`) to allow images from all domains. For example: ```python TALISMAN_CONFIG = { "content_security_policy": { "img-src": ["'self'", "data:", "blob:", "*"], # ... other settings } } ``` or ```python TALISMAN_CONFIG = { "content_security_policy": { "img-src": ["'self'", "data:", "blob:", "superset.apache.org"], # ... other settings } } ``` See [this discussion](https://github.com/apache/superset/issues/33207) for more details. Screenshots in email reports work because they use a cached server-side screenshot, which is not subject to the same browser CSP restrictions as the PDF export triggered from the browser. The PDF export endpoint itself does not appear to override or ignore Talisman settings, but if the CSP is too restrictive, images from external sources will be blocked during export, resulting in the error you see. If you continue to have issues, double-check that your CSP settings are being applied as expected and that the domains for all external images are included in the `img-src` directive. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/962ec688-7261-4a56-bdc7-ab22399a5ba6?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Export%20to%20PDF%20in%20Superset%20can%20fail%20with%20a%20CSP%20error%20for%20dashboards%20containing%20images%20from%20external%20domains%20if%20the%20Content%20Security%20Policy%20%28CSP%29%20set%20by%20Talisman%20does%20not%20explicitly%20allow%20those%20domains.%20Even%20if%20you%20set%20%60https%3A%60%20in%20your%20CSP%2C%20it%20may%20not%20be%20broad%20enough%20for%20all%20external%20images.%20To%20resolve%20this%2C%20you%20can%20add%20the%20specific%20domain%20%28e.g.%2C%20%60superset.apache.org%60%29%20to%20the%20%60img-src%60%20directive%20in%20your%20%60TALISMAN_CONFIG%60%2C%20or%20use%20a%20wildcard%20%28%60%2A%60%29%20to%20allow%20images%20from%20all%20domains.%20For%20example%3A%0A%0A%60%60%60python%0ATALISMAN_CONFIG%20%3D%20%7B%0A%2 0%20%20%20%22content_security_policy%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22img-src%22%3A%20%5B%22%27self%27%22%2C%20%22data%3A%22%2C%20%22blob%3A%22%2C%20%22%2A%22%5D%2C%0A%20%20%20%20%20%20%20%20%23%20...%20other%20settings%0A%20%20%20%20%7D%0A%7D%0A%60%60%60%0Aor%0A%60%60%60python%0ATALISMAN_CONFIG%20%3D%20%7B%0A%20%20%20%20%22content_security_policy%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22img-src%22%3A%20%5B%22%27self%27%22%2C%20%22data%3A%22%2C%20%22blob%3A%22%2C%20%22superset.apache.org%22%5D%2C%0A%20%20%20%20%20%20%20%20%23%20...%20other%20settings%0A%20%20%20%20%7D%0A%7D%0A%60%60%60%0ASee%20%5Bthis%20discussion%5D%28https%3A//github.com/apache/superset/issues/33207%29%20for%20more%20details.%0A%0AScreenshots%20in%20email%20reports%20work%20because%20they%20use%20a%20cached%20server-side%20screenshot%2C%20which%20is%20not%20subject%20to%20the%20same%20browser%20CSP%20restrictions%20as%20the%20PDF%20export%20triggered%20from%20the%20browser.%20The%20PDF%20export%20endpoint% 20itself%20does%20not%20appear%20to%20override%20or%20ignore%20Talisman%20settings%2C%20but%20if%20the%20CSP%20is%20too%20restrictive%2C%20images%20from%20external%20sources%20will%20be%20blocked%20during%20export%2C%20resulting%20in%20the%20error%20you%20see.%0A%0AIf%20you%20continue%20to%20have%20issues%2C%20double-check%20that%20your%20CSP%20settings%20are%20being%20applied%20as%20expected%20and%20that%20the%20domains%20for%20all%20external%20images%20are%20included%20in%20the%20%60img-src%60%20directive.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36268) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
