Unable to load SuperSet UI when I'm using via a domain

[vikashrajgupta]

Bug description

I'm getting the below error when using a domain name.

Refused to load the script 'https://superset1.greyb.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-PGDBKAzYO-8kvbduD-2u4qVUJAaWVbte'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

GET https://static.cloudflareinsights.com/beacon.min.js/v84a3a4012de94ce1a686ba8c167c359c1696973893317 net::ERR_BLOCKED_BY_CLIENT

Firstly I set up this project locally and then on server on both places it works fine but using IP, whenever I'm using a domain name it shows the above error.

The login page is loading perfectly after the username and password UI is not visible., I tried to update config.py and superset_config.py by every possibility but nothing works.

How to reproduce the bug

1. opening superset1.greyb.com
2. Go to the login page (you will be able to see the error in the console)
3. After entering a username and password it will redirect to interfaces that are not loading

Screenshots/recordings

Superset version

master / latest-dev

Python version

3.10

Node version

18 or greater

Browser

Chrome

Additional context

I'm facing this issue since last 3-4 days, that would be great if you can help me to resolve this.

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[rusackas]

Going to the provided url doesn't show Superset at all:

That said, whatever rocket-loader is, it's being blocked by Superset's CSP. You can add that domain to your TALISMAN_CONFIG configuration in config.py

[vikashrajgupta]

@rusackas - Sorry for the incomplete details that I provided earlier, also I have tried to change the TALISMAN_CONFIG in my config.py

superset1.greyb.com is hosted on my internal network and it's not public yet, I have also confirmed and there is no blocking or any kind of issue from our end.

Here is my TALISMAN_CONFIG for both production and development mode.

TALISMAN_CONFIG = {
    'contentSecurityPolicy': False,
    "content_security_policy": {
        "default-src": ["'self'","https://superset1.greyb.com"],
        "img-src": ["'self'", "data:","https://superset1.greyb.com"],
        "worker-src": ["'self'", "blob:","https://superset1.greyb.com"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
            "https://superset1.greyb.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'","'https://superset1.greyb.com'","https://superset1.greyb.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js"],
        "script-src": ["'self'", "'unsafe-inline'","'unsafe-eval'","'https://superset1.greyb.com'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https":False,
}

I have tried many things and option related to this but none of them is working. and whenever I'm accessing with my IP its working fine as shown below.

[vikashrajgupta]

@rusackas - I have a request, do not close this until I get a solution from your side, and we're very curious to know the possible solution from your side.
As I have mentioned the configuration above, I just wanted to share I have tried many permutation combinations to resolve this issue but I failed.
Thanks!!!

[rusackas]

It looks like you have some weird double quoting in your config there, e.g. "'https://superset1.greyb.com'" should be "https://superset1.greyb.com". From the error you posted, it also seems that it's trying to do a GET to static.cloudflareinsights.com so you'll want to punch a hole for that too.

This doesn't seem like a bug with Superset, but rather a config issue... if you want to keep it open, I can move it to a GitHub discussion in the Q&A section.

[vikashrajgupta]

@rusackas - Tried with this config as well getting same error.

TALISMAN_CONFIG = {
    'contentSecurityPolicy': False,
    "content_security_policy": {
        "default-src": ["'self'","https://superset1.greyb.com"],
        "img-src": ["'self'", "data:","https://superset1.greyb.com"],
        "worker-src": ["'self'", "blob:","https://superset1.greyb.com"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
            "https://superset1.greyb.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'","https://superset1.greyb.com"],
        "script-src": ["'self'", "'unsafe-inline'","'unsafe-eval'","https://superset1.greyb.com"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https":False,
}

As I have also mentioned tried a few alternative and a combination as well

[vikashrajgupta]

Do you have any suggestions to resolve this issue? because I also tried to do some changes in superset_config.py but didn't work.

[rusackas]

Well, there might be a few problems:

• You have both contentSecurityPolicy and content_security_policy in there. Get rid of contentSecurityPolicy
• It still doesn't look like you've allowed https://static.cloudflareinsights.com
• Are you running in dev or prod mode? Note that there are two configs... TALISMAN_CONFIG and TALISMAN_DEV_CONFIG, so you should be using the right one.