feat: Adds a Content Security Policy (CSP) check for production environments (#21874)

superset/initialization/__init__.py

@@ -575,8 +575,28 @@ class SupersetAppInitializer:  # pylint: disable=too-many-public-methods
         # Flask-Compress
         Compress(self.superset_app)
 
-        if self.config["TALISMAN_ENABLED"]:
-            talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
+        show_csp_warning = False
+        if (
+            self.config["CONTENT_SECURITY_POLICY_WARNING"]
+            and not self.superset_app.debug
+        ):
+            if self.config["TALISMAN_ENABLED"]:
+                talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
+                if not self.config["TALISMAN_CONFIG"].get("content_security_policy"):
+                    show_csp_warning = True
+            else:
+                show_csp_warning = True
+
+        if show_csp_warning:
+            logger.warning(
+                "We haven't found any Content Security Policy (CSP) defined in "
+                "the configurations. Please make sure to configure CSP using the "
+                "TALISMAN_CONFIG key or any other external software. Failing to "
+                "configure CSP have serious security implications. Check "
+                "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more "
+                "information. You can disable this warning using the "
+                "CONTENT_SECURITY_POLICY_WARNING key."
+            )
 
     def configure_logging(self) -> None:
         self.config["LOGGING_CONFIGURATOR"].configure_logging(