QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-17 23:25:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Revert enable strong session protection by default (#24256) (#24545)

Browse Source
This commit is contained in:
Michael S. Molina
2023-06-28 13:35:44 -03:00
committed by GitHub
parent a90f740a81
commit cdbe4f3fa7
3 changed files with 8 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/docs/security.mdx
View File

@@ -157,11 +157,6 @@ HTTPS if the cookie is marked “secure”. The application must be served over
`PERMANENT_SESSION_LIFETIME`: (default: "31 days") The lifetime of a permanent session as a `datetime.timedelta` object.
- Relevant Flask-Login settings:
`SESSION_PROTECTION`: The method used to protect the session from being stolen. [Documentation](https://flask-login.readthedocs.io/en/latest/#session-protection)
Default: "strong"
### Content Security Policy (CSP)
Superset uses the [Talisman](https://pypi.org/project/flask-talisman/) extension to enable implementation of a
@@ -182,29 +177,29 @@ It's extremely important to correctly configure a Content Security Policy when d
prevent many types of attacks. Superset provides two variables in `config.py` for deploying a CSP:
- `TALISMAN_ENABLED` defaults to `False`; set this to `True` in order to implement a CSP
- `TALISMAN_CONFIG` holds the actual the policy definition (*see example below*) as well as any
other arguments to be passed to Talisman.
- `TALISMAN_CONFIG` holds the actual the policy definition (_see example below_) as well as any
other arguments to be passed to Talisman.
When running in production mode, Superset will check at startup for the presence
of a CSP. If one is not found, it will issue a warning with the security risks. For environments
of a CSP. If one is not found, it will issue a warning with the security risks. For environments
where CSP policies are defined outside of Superset using other software, administrators can disable
this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
#### CSP Requirements
* Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.
- Superset needs both the `'unsafe-eval'` and `'unsafe-inline'` CSP keywords in order to operate.
```
default-src 'self' 'unsafe-eval' 'unsafe-inline'
```
* Some dashboards load images using data URIs and require `data:` in their `img-src`
- Some dashboards load images using data URIs and require `data:` in their `img-src`
```
img-src 'self' data:
```
* MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin
- MapBox charts use workers and need to connect to MapBox servers in addition to the Superset origin
```
worker-src 'self' blob:
@@ -231,12 +226,12 @@ TALISMAN_CONFIG = {
Setting `TALISMAN_ENABLED = True` will invoke Talisman's protection with its default arguments,
of which `content_security_policy` is only one. Those can be found in the
[Talisman documentation](https://pypi.org/project/flask-talisman/) under *Options*.
[Talisman documentation](https://pypi.org/project/flask-talisman/) under _Options_.
These generally improve security, but administrators should be aware of their existence.
In particular, the default option of `force_https = True` may break Superset's Alerts & Reports
if workers are configured to access charts via a `WEBDRIVER_BASEURL` beginning
with `http://`. As long as a Superset deployment enforces https upstream, e.g.,
with `http://`. As long as a Superset deployment enforces https upstream, e.g.,
through a loader balancer or application gateway, it should be acceptable to set this
option to `False`, like this: