QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-16 14:45:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: various markdown warnings resolved (#30657)

Browse Source 
Co-authored-by: Evan Rusackas <evan@preset.io>
This commit is contained in:
Emad Rad
2025-03-04 23:15:49 +03:30
committed by GitHub
parent 807dcddc28
commit 2b53b1800e
20 changed files with 158 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/docs/security/security.mdx
View File

@@ -224,17 +224,17 @@ this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
#### CSP Requirements
* Superset needs the `style-src unsafe-inline` CSP directive in order to operate.
- Superset needs the `style-src unsafe-inline` CSP directive in order to operate.
```
style-src 'self' 'unsafe-inline'
```
* Only scripts marked with a [nonce](https://content-security-policy.com/nonce/) can be loaded and executed.
- Only scripts marked with a [nonce](https://content-security-policy.com/nonce/) can be loaded and executed.
Nonce is a random string automatically generated by Talisman on each page load.
You can get current nonce value by calling jinja macro `csp_nonce()`.
```
```html
<script nonce="{{ csp_nonce() }}">
/* my script */
</script>
@@ -256,17 +256,16 @@ You can get current nonce value by calling jinja macro `csp_nonce()`.
- Cartodiagram charts request map data (image and json) from external resources that can be edited by users,
and therefore either require a list of allowed domains to request from or a wildcard (`'*'`) for `img-src` and `connect-src`.
* Other CSP directives default to `'self'` to limit content to the same origin as the Superset server.
- Other CSP directives default to `'self'` to limit content to the same origin as the Superset server.
In order to adjust provided CSP configuration to your needs, follow the instructions and examples provided in
[Content Security Policy Reference](https://content-security-policy.com/)
#### Other Talisman security considerations
Setting `TALISMAN_ENABLED = True` will invoke Talisman's protection with its default arguments,
of which `content_security_policy` is only one. Those can be found in the
[Talisman documentation](https://pypi.org/project/flask-talisman/) under _Options_.
[Talisman documentation](https://pypi.org/project/flask-talisman/) under *Options*.
These generally improve security, but administrators should be aware of their existence.
In particular, the option of `force_https = True` (`False` by default) may break Superset's Alerts & Reports