docs(security): clarify CSP requirements and provide example TALISMAN_CONFIG

[reidab]

SUMMARY

This is an attempt to provide some more clarity around the CSP requirements and to add a basic example TALISMAN_CONFIG.

I've been submitting docs updates for issues I hit during an initial deployment of Superset on Kubernetes. Upon deployment, I started seeing CSP warnings from the CONTENT_SECURITY_POLICY_WARNING setting in my logs, but the docs did not provide much information about what sort of CSP Superset requires in order to function.

I first tried a basic strict CSP of default-src: 'self'; object-src: 'none'. This resulted Superset's UI failing to run with a number of errors related to unsafe-inline and unsafe-eval. Adding those keywords to the basic policy allowed Superset's UI to operate in our deployment.

• Does this capture all the necessary requirements for Superset's CSP? Are there other considerations that should be highlighted?
• Is there any reason to break out individual CSP sections like script-src and style-src vs using default-src in the example? I'd favor simplicity as a starting point if there's no compelling reason to break them out.

TESTING INSTRUCTIONS

Read the new docs.

• Does this seem like a reasonable description of the CSP requirements?
• Is the example given a reasonable default configuration?

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[michael-s-molina]

Thank you for the PR @reidab!

Does this capture all the necessary requirements for Superset's CSP? Are there other considerations that should be highlighted?

Depending on the features one will use, there may be additional configurations:

• Some dashboards use the data protocol to load images and therefore need "img-src": "'self' data:"
• MapBox chart requires: "worker-src": "'self' blob:" and "connect-src": "'self' https://api.mapbox.com https://events.mapbox.com"

Is there any reason to break out individual CSP sections like script-src and style-src vs using default-src in the example? I'd favor simplicity as a starting point if there's no compelling reason to break them out.

You should break only if you need to (see examples above).

[reidab]

@michael-s-molina thanks for the clarification and extra info! I've updated the branch to include all of these requirements.

[michael-s-molina]

Thanks @reidab for the additional documentation!