dosubot[bot] commented on issue #36779: URL: https://github.com/apache/superset/issues/36779#issuecomment-3678682566
<!-- Answer --> There isn’t a way to use custom JavaScript tooltip generators in deck.gl polygons in Superset 6.0.0 without relaxing the Content Security Policy to allow `'unsafe-eval'`. The reason is that Superset evaluates your tooltip code using a sandboxed function that ultimately relies on dynamic code execution (like `eval` or `new Function`), which is blocked by strict CSP settings in production for security reasons [see source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/plugins/legacy-preset-chart-deckgl/src/utils/sandbox.ts#L19-L65). Best practice is to avoid using custom JS tooltips unless absolutely necessary. Instead, you can build rich tooltips by shaping your query results in SQL or your dataset so that all the fields you want to show are available to Superset’s built-in tooltip renderer. This way, you don’t need to enable JS controls or relax CSP, and your deployment stays secure [see source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L1636-L1706). If you need full JS tooltip flexibility, you’ll have to keep `'unsafe-eval'` enabled, but this is not recommended for production environments due to security risks. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5f47ffe3-93c6-476b-b410-e8a2124fe9a2?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=There%20isn%E2%80%99t%20a%20way%20to%20use%20custom%20JavaScript%20tooltip%20generators%20in%20deck.gl%20polygons%20in%20Superset%206.0.0%20without%20relaxing%20the%20Content%20Security%20Policy%20to%20allow%20%60%27unsafe-eval%27%60.%20The%20reason%20is%20that%20Superset%20evaluates%20your%20tooltip%20code%20using%20a%20sandboxed%20function%20that%20ultimately%20relies%20on%20dynamic%20code%20execution%20%28like%20%60eval%60%20or%20%60new%20Function%60%29%2C%20which%20is%20blocked%20by%20strict%20CSP%20settings%20in%20production%20for%20security%20reasons%C2%A0%5Bsee%20source%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/plugins/legacy-preset-chart-deckgl/src/utils/sandbox.ts%23L19-L65%29 .%0A%0ABest%20practice%20is%20to%20avoid%20using%20custom%20JS%20tooltips%20unless%20absolutely%20necessary.%20Instead%2C%20you%20can%20build%20rich%20tooltips%20by%20shaping%20your%20query%20results%20in%20SQL%20or%20your%20dataset%20so%20that%20all%20the%20fields%20you%20want%20to%20show%20are%20available%20to%20Superset%E2%80%99s%20built-in%20tooltip%20renderer.%20This%20way%2C%20you%20don%E2%80%99t%20need%20to%20enable%20JS%20controls%20or%20relax%20CSP%2C%20and%20your%20deployment%20stays%20secure%C2%A0%5Bsee%20source%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L1636-L1706%29.%0A%0AIf%20you%20need%20full%20JS%20tooltip%20flexibility%2C%20you%E2%80%99ll%20have%20to%20keep%20%60%27unsafe-eval%27%60%20enabled%2C%20but%20this%20is%20not%20recommended%20for%20production%20environments%20due%20to%20security%20risks.) [](htt ps://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36779) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
