OAuth login broken with Content Security Policy

[jgillick]

(Version: latest, docker image: c23d0ee6153e)

The OAuth login button (Google, in my case) does nothing and in the browser console the following error is displayed:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-zxfr-QL5iUW2FZ0HmZqd-n1zO7yy1tRk'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

After rolling back to 2.1.0, it appears this could be due to the new nonce attribute added to all the assets (possibly added by this PR). I believe it might have something to do with the extra space around the value. For example, in my case, the HTML looks like this:

<script src="/static/assets/theme.5fb6aaa7430ffb2cbd6c.entry.js" async nonce="
    
        k4R8NQQ9rQ8B9tFSoTQ_hBEvcPFH6AUC
    
"></script>

How to reproduce the bug

1. Using latest docker image (image ID: c23d0ee6153e)
2. Setup OAuth authentication
3. Load the login page: /login/
4. View JS console. You should see Content Security Policy errors
5. Click the login button
6. Nothing happens. A new error might appear in te JS console.

Expected results

Clicking the login button should initiate the OAuth redirect login flow.

Actual results

Nothing happens

Screenshots

Environment

(please complete the following information):

• browser type and version: Chrome 114.0.5735.198
• superset version: 0.0.0-dev, docker latest: c23d0ee6153e
• python version: 3.9.17

Checklist

Make sure to follow these steps before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

[sfirke]

I was just helping someone in Slack with this same problem (they are using Azure OAuth): https://apache-superset.slack.com/archives/C0170U650CQ/p1688525362343059

[kgabryje]

Thank you for opening this ticket! The source of the problem lies in flask-appbuilder code - I will work on on the fix there.
As an interim solution, I suggest using the following CSP config (please note that it uses unsafe-inline directive for script sources, which lowers the security):

TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'unsafe-inline'"],
    },
    "force_https": False,
}

(Make sure that content_security_policy_nonce_in is removed)

Alternatively, you can disable Talisman by setting TALISMAN_ENABLED = False

[jgillick]

Thank you both for your swift replies! I'm glad there's a workaround and a solution on the way.

[dpgaspar]

Thank you for reporting this issue. A fix was done on FAB to support nonce's also, currently release on 4.3.4rc1. Hope to publish a final release soon

[dpgaspar]

FAB 4.3.4 is out and considered a new minor version on Superset