Apache Superset CSP directive needs 'unsafe-eval' to evaluate Deck.gl "Javascript Data Interceptor"

How to reproduce the bug

Prepare dataset with "lat", "lng" columns
Create a deck.gl Scatterplot chart -> Rendering on Map works fine
In the "Advanced" section, add a "Javascript Data Interceptor" function
Update chart

Expected results

The render on the map still works fine without any modifications to CSP directives

Actual results

Error thrown in the console:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-y8RSRvMUO3pXJ4LbJ-H3DScTT9JYDqJf'".

Screenshots

Bildschirmfoto 2023-08-10 um 15 50 42

Environment

(please complete the following information):

browser type and version: Chrome Version 115.0.5790.114
superset version: master branch on commit 764f0f79ca636d50e7660cdfe5975c881df6c024 with unchanged docker-compose-non-dev.yml and SUPERSET_ENV = production and FLASK_ENV = production environment value. Deployed with docker-compose.

Checklist

Make sure to follow these steps before submitting your issue - thank you!

[x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
[x] I have reproduced the issue with at least the latest released version of superset.
[x] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Talisman / CSP has been enabled by default here: https://github.com/apache/superset/pull/24262 , documentation says:

Superset needs the style-src unsafe-inline CSP directive in order to operate.

Documentation does not say anything about a needed unsafe-eval directive. However, it seems at least for the deck.gl Scatterplot chart to work properly with a "Javascript Data Interceptor" set, the Talisman config needs the unsafe-eval directive on "script-src":

TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'strict-dynamic'", "'unsafe-eval'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
}

I am not sure if this is a bug in deck.gl Scatterplot or if it is okay to set the unsafe-eval directive in the TALISMAN_CONFIG.

Thanks for your help!

Comment From: qleroy

I am experiencing the same type for Handlebars on the 3.0.0rc3. It was working fine on 2.1.1.

Comment From: kim-larsh

Also experiencing on handlebar charts in 3.0.0 and worked in 2.1

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-4LtoOfLG9FyQxTFtAg3XpkVBtPqO6CwI'".

Tried TALISMAN_CONFIG options as in the config.py file but did not work in superset_config.py

TALISMAN_ENABLED = False does work in superset_config.py but would prefer not to do that.

Comment From: edgars

Is there any solution for it> I am using 3.1.1?

Comment From: jeverling

Is there any solution for it> I am using 3.1.1?

Hi, the following config works around this issue for me:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "blob:", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
}

This is based on upstream config for 3.0.2, so you might want to check this config value for the version you're using, and adjust accordingly. The default is set in this file:

https://github.com/apache/superset/blob/master/superset/config.py#L1402

Comment From: rusackas

This seems like a config issue more than a docs issue, but how would you propose resolving it? I don't think we should turn on unsafe-eval unless we really must. Maybe a documentation change or some notes in the config file would suffice? Unsafe eval is (as it says on the tin) not the safest thing. The DeckGL tooltips in their current state are not a secure feature, as stated in the code/config. I'm hoping to deprecate them as part of 5.0, in hopes that we can replace them with a less risky feature in Superset 5.0 or 6.0.

Comment From: kgabryje

unsafe-eval is off by default for the reasons mentioned by @rusackas. If the features blocked by CSP configs are essential for you, and if you're fine with the security implications, you can add unsafe_eval to the config - it's the only workaround as of now.

Comment From: torzsmokus

I'm hoping to deprecate them as part of 5.0, in hopes that we can replace them with a less risky feature in Superset 5.0 or 6.0.

Has a better replacement been found yet? I skimmed the 5.0.0 changelog and haven't seen one :(