From c878e2e102a39fec9fd70558e96e2d3dfbfb0bf7 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 13 Dec 2023 11:45:14 +0000
Subject: [PATCH] chore: improve CSP add base uri restriction (#26251)

(cherry picked from commit 578a899152719415c65c24055f4378b838ded435)
---
 superset/config.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/superset/config.py b/superset/config.py
index 164ea1a5be1..d62136a0004 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1409,6 +1409,7 @@ TALISMAN_ENABLED = utils.cast_to_boolean(os.environ.get("TALISMAN_ENABLED", True
 # If you want Talisman, how do you want it configured??
 TALISMAN_CONFIG = {
     "content_security_policy": {
+        "base-uri": ["'self'"],
         "default-src": ["'self'"],
         "img-src": ["'self'", "blob:", "data:"],
         "worker-src": ["'self'", "blob:"],
@@ -1431,6 +1432,7 @@ TALISMAN_CONFIG = {
 # React requires `eval` to work correctly in dev mode
 TALISMAN_DEV_CONFIG = {
     "content_security_policy": {
+        "base-uri": ["'self'"],
         "default-src": ["'self'"],
         "img-src": ["'self'", "blob:", "data:"],
         "worker-src": ["'self'", "blob:"],