dosubot[bot] commented on issue #36779: URL: https://github.com/apache/superset/issues/36779#issuecomment-3678643195
<!-- Answer --> The error you’re seeing in Superset 6.0.0 when hovering over deck.gl polygons is caused by stricter Content Security Policy (CSP) settings that block the use of `eval()` in the frontend. Recent updates to deck.gl and React dependencies, as well as changes in Superset’s webpack and CSP configuration, mean that some frontend code now requires `eval` or similar dynamic execution, which is blocked by default for security reasons in production builds ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L1636-L1702), [discussion](https://github.com/apache/superset/discussions/33957#discussioncomment-13600099)). Superset’s default CSP does **not** allow `'unsafe-eval'` in `script-src`, which is recommended for security but can break frontend libraries that use `eval`. In development mode, you can enable `'unsafe-eval'` by using `TALISMAN_DEV_CONFIG`, but this is **not recommended for production** due to security risks ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L1636-L1702)). **Workarounds for development/testing:** - In your `superset_config.py`, you can temporarily enable `'unsafe-eval'` for development by setting: ```python TALISMAN_ENABLED = True TALISMAN_CONFIG = { "content_security_policy": { "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"], # ...other directives... } } ``` - For production, the best practice is to avoid dependencies that require `eval` under strict CSP. There is no official guidance recommending `'unsafe-eval'` in production ([discussion](https://github.com/apache/superset/discussions/33957#discussioncomment-13600099)). **Why this changed:** Superset 6.0.0 updated deck.gl and React, and tightened CSP enforcement to comply with Apache Software Foundation security requirements. This means frontend code that previously worked may now fail if it relies on dynamic code execution ([source](https://github.com/apache/superset/pull/35743), [discussion](https://github.com/apache/superset/issues/35845#issuecomment-3636347489)). If you need to suppress CSP warnings (but not errors), you can set: ```python CONTENT_SECURITY_POLICY_WARNING = False ``` in `superset_config.py`, but this will not resolve eval blocking errors. If you need more help with a minimal reproducible example or want to discuss possible upstream fixes, let me know! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/4c52a9b7-72fb-4be3-83c6-b7908e11d2fd?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20error%20you%E2%80%99re%20seeing%20in%20Superset%206.0.0%20when%20hovering%20over%20deck.gl%20polygons%20is%20caused%20by%20stricter%20Content%20Security%20Policy%20%28CSP%29%20settings%20that%20block%20the%20use%20of%20%60eval%28%29%60%20in%20the%20frontend.%20Recent%20updates%20to%20deck.gl%20and%20React%20dependencies%2C%20as%20well%20as%20changes%20in%20Superset%E2%80%99s%20webpack%20and%20CSP%20configuration%2C%20mean%20that%20some%20frontend%20code%20now%20requires%20%60eval%60%20or%20similar%20dynamic%20execution%2C%20which%20is%20blocked%20by%20default%20for%20security%20reasons%20in%20production%20builds%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L1636 -L1702%29%2C%C2%A0%5Bdiscussion%5D%28https%3A//github.com/apache/superset/discussions/33957%23discussioncomment-13600099%29%29.%0A%0ASuperset%E2%80%99s%20default%20CSP%20does%20%2A%2Anot%2A%2A%20allow%20%60%27unsafe-eval%27%60%20in%20%60script-src%60%2C%20which%20is%20recommended%20for%20security%20but%20can%20break%20frontend%20libraries%20that%20use%20%60eval%60.%20In%20development%20mode%2C%20you%20can%20enable%20%60%27unsafe-eval%27%60%20by%20using%20%60TALISMAN_DEV_CONFIG%60%2C%20but%20this%20is%20%2A%2Anot%20recommended%20for%20production%2A%2A%20due%20to%20security%20risks%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L1636-L1702%29%29.%0A%0A%2A%2AWorkarounds%20for%20development/testing%3A%2A%2A%0A-%20In%20your%20%60superset_config.py%60%2C%20you%20can%20temporarily%20enable%20%60%27unsafe-eval%27%60%20for%20development%20by%20setting%3A%0A%20%20%60%60%60python%0A%20%20TALISMAN_ENABLED%20%3D%20Tr ue%0A%20%20TALISMAN_CONFIG%20%3D%20%7B%0A%20%20%20%20%20%20%22content_security_policy%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%22script-src%22%3A%20%5B%22%27self%27%22%2C%20%22%27unsafe-inline%27%22%2C%20%22%27unsafe-eval%27%22%5D%2C%0A%20%20%20%20%20%20%20%20%20%20%23%20...other%20directives...%0A%20%20%20%20%20%20%7D%0A%20%20%7D%0A%20%20%60%60%60%0A-%20For%20production%2C%20the%20best%20practice%20is%20to%20avoid%20dependencies%20that%20require%20%60eval%60%20under%20strict%20CSP.%20There%20is%20no%20official%20guidance%20recommending%20%60%27unsafe-eval%27%60%20in%20production%C2%A0%28%5Bdiscussion%5D%28https%3A//github.com/apache/superset/discussions/33957%23discussioncomment-13600099%29%29.%0A%0A%2A%2AWhy%20this%20changed%3A%2A%2A%20%20%0ASuperset%206.0.0%20updated%20deck.gl%20and%20React%2C%20and%20tightened%20CSP%20enforcement%20to%20comply%20with%20Apache%20Software%20Foundation%20security%20requirements.%20This%20means%20frontend%20code%20that%20previously%20worked%20ma y%20now%20fail%20if%20it%20relies%20on%20dynamic%20code%20execution%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/pull/35743%29%2C%C2%A0%5Bdiscussion%5D%28https%3A//github.com/apache/superset/issues/35845%23issuecomment-3636347489%29%29.%0A%0AIf%20you%20need%20to%20suppress%20CSP%20warnings%20%28but%20not%20errors%29%2C%20you%20can%20set%3A%0A%60%60%60python%0ACONTENT_SECURITY_POLICY_WARNING%20%3D%20False%0A%60%60%60%0Ain%20%60superset_config.py%60%2C%20but%20this%20will%20not%20resolve%20eval%20blocking%20errors.%0A%0AIf%20you%20need%20more%20help%20with%20a%20minimal%20reproducible%20example%20or%20want%20to%20discuss%20possible%20upstream%20fixes%2C%20let%20me%20know%21) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A// github.com/apache/superset/issues/36779) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
