chore: Un-revert enabling CSP by default (#24543)

docs/docs/security.mdx

@@ -176,9 +176,9 @@ a certain resource type or policy area. You can check possible directives
 It's extremely important to correctly configure a Content Security Policy when deploying Superset to
 prevent many types of attacks. Superset provides two variables in `config.py` for deploying a CSP:
 
-- `TALISMAN_ENABLED` defaults to `False`; set this to `True` in order to implement a CSP
-- `TALISMAN_CONFIG` holds the actual the policy definition (_see example below_) as well as any
-  other arguments to be passed to Talisman.
+- `TALISMAN_ENABLED` defaults to `True`; set this to `False` in order to disable CSP
+- `TALISMAN_CONFIG` holds the actual the policy definition (*see example below*) as well as any
+other arguments to be passed to Talisman.
 
 When running in production mode, Superset will check at startup for the presence
 of a CSP. If one is not found, it will issue a warning with the security risks. For environments
@@ -187,10 +187,20 @@ this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
 
 #### CSP Requirements
 
-- Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.
+* Superset needs the `style-src unsafe-inline` CSP directive in order to operate.
 
   ```
-  default-src 'self' 'unsafe-eval' 'unsafe-inline'
+  style-src 'self' 'unsafe-inline'
+  ```
+
+* Only scripts marked with a [nonce](https://content-security-policy.com/nonce/) can be loaded and executed.
+Nonce is a random string automatically generated by Talisman on each page load.
+You can get current nonce value by calling jinja macro `csp_nonce()`.
+
+  ```
+  <script nonce="{{ csp_nonce() }}">
+  /* my script */
+  </script>
   ```
 
 - Some dashboards load images using data URIs and require `data:` in their `img-src`
@@ -206,21 +216,11 @@ this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
   connect-src 'self' https://api.mapbox.com https://events.mapbox.com
   ```
 
-This is a basic example `TALISMAN_CONFIG` that implements the above requirements, uses `'self'` to
-limit content to the same origin as the Superset server, and disallows outdated HTML elements by
-setting `object-src` to `'none'`.
+* Other CSP directives default to `'self'` to limit content to the same origin as the Superset server.
+
+In order to adjust provided CSP configuration to your needs, follow the instructions and examples provided in
+[Content Security Policy Reference](https://content-security-policy.com/)
 
-```python
-TALISMAN_CONFIG = {
-    "content_security_policy": {
-        "default-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
-        "img-src": ["'self'", "data:"],
-        "worker-src": ["'self'", "blob:"],
-        "connect-src": ["'self'", "https://api.mapbox.com", "https://events.mapbox.com"],
-        "object-src": "'none'",
-    }
-}
-```
 
 #### Other Talisman security considerations
 
@@ -229,15 +229,15 @@ of which `content_security_policy` is only one. Those can be found in the
 [Talisman documentation](https://pypi.org/project/flask-talisman/) under _Options_.
 These generally improve security, but administrators should be aware of their existence.
 
-In particular, the default option of `force_https = True` may break Superset's Alerts & Reports
+In particular, the option of `force_https = True` (`False` by default) may break Superset's Alerts & Reports
 if workers are configured to access charts via a `WEBDRIVER_BASEURL` beginning
-with `http://`. As long as a Superset deployment enforces https upstream, e.g.,
-through a loader balancer or application gateway, it should be acceptable to set this
-option to `False`, like this:
+with `http://`.  As long as a Superset deployment enforces https upstream, e.g.,
+through a loader balancer or application gateway, it should be acceptable to keep this
+option disabled. Otherwise, you may want to enable `force_https` like this:
 
 ```python
 TALISMAN_CONFIG = {
-    "force_https": False,
+    "force_https": True,
     "content_security_policy": { ...
 ```