Skip to content

Commit

Permalink
fix: Revert enable strong session protection by default (#24256) (#24545
Browse files Browse the repository at this point in the history
)
  • Loading branch information
michael-s-molina authored Jun 28, 2023
1 parent a90f740 commit cdbe4f3
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 16 deletions.
1 change: 0 additions & 1 deletion UPDATING.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ assists people when migrating to a new version.

- [24335](https://github.com/apache/superset/pull/24335): Removed deprecated API `/superset/filter/<datasource_type>/<int:datasource_id>/<column>/`
- [24185](https://github.com/apache/superset/pull/24185): `/api/v1/database/test_connection` and `api/v1/database/validate_parameters` permissions changed from `can_read` to `can_write`. Only Admin user's have access.
- [24256](https://github.com/apache/superset/pull/24256): `Flask-Login` session validation is now set to `strong` by default. Previous setting was `basic`.
- [24232](https://github.com/apache/superset/pull/24232): Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated.
- [23652](https://github.com/apache/superset/pull/23652): Enables GENERIC_CHART_AXES feature flag by default.
- [23226](https://github.com/apache/superset/pull/23226): Migrated endpoint `/estimate_query_cost/<int:database_id>` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have.
Expand Down
21 changes: 8 additions & 13 deletions docs/docs/security.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,6 @@ HTTPS if the cookie is marked “secure”. The application must be served over

`PERMANENT_SESSION_LIFETIME`: (default: "31 days") The lifetime of a permanent session as a `datetime.timedelta` object.

- Relevant Flask-Login settings:

`SESSION_PROTECTION`: The method used to protect the session from being stolen. [Documentation](https://flask-login.readthedocs.io/en/latest/#session-protection)
Default: "strong"

### Content Security Policy (CSP)

Superset uses the [Talisman](https://pypi.org/project/flask-talisman/) extension to enable implementation of a
Expand All @@ -182,29 +177,29 @@ It's extremely important to correctly configure a Content Security Policy when d
prevent many types of attacks. Superset provides two variables in `config.py` for deploying a CSP:

- `TALISMAN_ENABLED` defaults to `False`; set this to `True` in order to implement a CSP
- `TALISMAN_CONFIG` holds the actual the policy definition (*see example below*) as well as any
other arguments to be passed to Talisman.
- `TALISMAN_CONFIG` holds the actual the policy definition (_see example below_) as well as any
other arguments to be passed to Talisman.

When running in production mode, Superset will check at startup for the presence
of a CSP. If one is not found, it will issue a warning with the security risks. For environments
of a CSP. If one is not found, it will issue a warning with the security risks. For environments
where CSP policies are defined outside of Superset using other software, administrators can disable
this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.

#### CSP Requirements

* Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.
- Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.

```
default-src 'self' 'unsafe-eval' 'unsafe-inline'
```

* Some dashboards load images using data URIs and require `data:` in their `img-src`
- Some dashboards load images using data URIs and require `data:` in their `img-src`

```
img-src 'self' data:
```

* MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin
- MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin

```
worker-src 'self' blob:
Expand All @@ -231,12 +226,12 @@ TALISMAN_CONFIG = {

Setting `TALISMAN_ENABLED = True` will invoke Talisman's protection with its default arguments,
of which `content_security_policy` is only one. Those can be found in the
[Talisman documentation](https://pypi.org/project/flask-talisman/) under *Options*.
[Talisman documentation](https://pypi.org/project/flask-talisman/) under _Options_.
These generally improve security, but administrators should be aware of their existence.

In particular, the default option of `force_https = True` may break Superset's Alerts & Reports
if workers are configured to access charts via a `WEBDRIVER_BASEURL` beginning
with `http://`. As long as a Superset deployment enforces https upstream, e.g.,
with `http://`. As long as a Superset deployment enforces https upstream, e.g.,
through a loader balancer or application gateway, it should be acceptable to set this
option to `False`, like this:

Expand Down
2 changes: 0 additions & 2 deletions superset/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -1380,8 +1380,6 @@ def EMAIL_HEADER_MUTATOR( # pylint: disable=invalid-name,unused-argument
SESSION_COOKIE_HTTPONLY = True # Prevent cookie from being read by frontend JS?
SESSION_COOKIE_SECURE = False # Prevent cookie from being transmitted over non-tls?
SESSION_COOKIE_SAMESITE: Literal["None", "Lax", "Strict"] | None = "Lax"
# Accepts None, "basic" and "strong", more details on: https://flask-login.readthedocs.io/en/latest/#session-protection
SESSION_PROTECTION = "strong"

# Cache static resources.
SEND_FILE_MAX_AGE_DEFAULT = int(timedelta(days=365).total_seconds())
Expand Down

0 comments on commit cdbe4f3

Please sign in to comment.