deck.gl Scatterplot JAVASCRIPT TOOLTIP GENERATOR tooltip no longer working in version 1.4.0 and above

[xtengx]

A clear and concise description of what the bug is.

How to reproduce the bug

1. Create deck.gl scatter plot
2. Create JAVASCRIPT TOOLTIP GENERATOR tooltip i.e. d => TEST</br>;
3. Hover over dot in plot
4. See error

Expected results

Tooltip should show "TEST"

Actual results

"Unexpected error
An error occurred while rendering the visualization: Error: Minified React error #31; visit https://reactjs.org/docs/error-decoder.html?invariant=31&args[]=TypeError%3A%20r(...).runInNewContext%20is%20not%20a%20function&args[]= for the full message or use the non-minified dev environment for full errors and additional helpful warnings.

See more"

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

(please complete the following information):

• browser type and version:
• superset version: superset version
• python version: python --version
• node.js version: node -v
• any feature flags active:

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.

[villebro]

I was able to reproduce this problem. I also noticed that the Path example chart is broken, but works if the "JAVASCRIPT DATA INTERCEPTOR" is disabled.

Original:

With removed interceptor:

[chanyou0311]

I have same problem. It seems to be caused by upgrading webpack to version 5 without resolving configurations.
I've create PR. I hope to fix your problem by this changes!
#19059

[rusackas]

Since the PR is merged and the thread has gone quiet for upward of a year, I'll optimistically mark this as closed. Happy to re-open if this is still an issue in 2.0.x

[DataMinerR]

Hello @rusackas ,

this IS unfortunately still an issue in 2.1.0. I get the same error.

It would be great, if this could be solved.

BR

[DataMinerR]

Dear @rusackas ,

do we have any update on this issue?

Thank you!

[rusackas]

do we have any update on this issue?

Nope... based on the PRs merged in this thread, I previously thought it was a solved problem. If it's an issue still, I personally think we should open up a fresh Issue including repro steps, displayed errors, and known incompatible versions. This issue is just a little unclear to me.

On the other hand, this feature is questionable in terms of security - I have half a mind to deprecate it and replace it entirely with something new. If anyone has an interest in that effort, we should talk on Slack.

[DataMinerR]

Hello @rusackas ,

thank you for the update!

I wonder if there is any way to turn the tooltip completely off? Because right now it is showing the wrong thing when hovered over the map...

[DataMinerR]

Hello @rusackas ,

would you be so kind and have a look at my question at stackoverflow?

https://stackoverflow.com/questions/77404016/turn-off-deck-gl-tooltip-in-superset

Thanks & BR

[JohnDietrich-Pepper]

This is still an issue in 3.0 . Really need some way to customize tooltips...

[rusackas]

This feature is a known XSS concern, and is likely due for deprecation, honestly. I intend to propose that for 5.0 (having missed the 4.0 proposals window). I think we should move to a different means of templatizing tooltips (e.g. handlebars/jinja) that can be applicable to more chart types, including replacing these problematic ones for DeckGL. If anyone has an interest in pursuing this SIP, please join SIP Office Hours or write one up!

[vin01]

I believe (not-a-)problem here is the CSP policy from Talisman which does not allow unsafe-eval which is required for this feature and gets blocked by browser

following talisman config works:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'",
            "blob:",
            "data:",
            "https://apachesuperset.gateway.scarf.sh",
            "https://static.scarf.sh/",
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'", "'unsafe-eval'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}

Given the nature of this issue, it would be ideal to have an alternative way to templatize tooltips. However in some cases this could be acceptable risk where users can be trusted with customized JS, we could document it, at least until a better way is possible.