Merge pull request #9 from Ortege-xyz/feat/clarity

fix: content secury policy for clarity
Ortege-xyz · Dec 4, 2023 · ea581ac · ea581ac
2 parents fe49e79 + 4f0ca12
commit ea581ac
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 7 deletions.
diff --git a/superset/config.py b/superset/config.py
@@ -1425,41 +1425,79 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument
 # If you want Talisman, how do you want it configured??
 TALISMAN_CONFIG = {
     "content_security_policy": {
-        "default-src": ["'self'"],
-        "img-src": ["'self'", "blob:", "data:"],
+        "default-src": [
+            "'self'", 
+            "https://*.clarity.ms", 
+            "https://c.bing.com",
+            "'unsafe-inline'",
+        ],
+        "img-src": [
+            "'self'",
+            "blob:",
+            "data:",
+            "https://*.clarity.ms",
+            "https://c.bing.com",
+        ],
         "worker-src": ["'self'", "blob:"],
         "connect-src": [
             "'self'",
             "https://api.mapbox.com",
             "https://events.mapbox.com",
+            "https://*.clarity.ms",
+            "https://c.bing.com",
         ],
         "object-src": "'none'",
         "style-src": [
             "'self'",
             "'unsafe-inline'",
         ],
-        "script-src": ["'self'", "'strict-dynamic'"],
+        "script-src": [
+            "'self'", 
+            "'strict-dynamic'", 
+            "https://*.clarity.ms", 
+            "https://c.bing.com", 
+            "'unsafe-inline'",
+        ],
     },
     "content_security_policy_nonce_in": ["script-src"],
     "force_https": False,
 }
 # React requires `eval` to work correctly in dev mode
 TALISMAN_DEV_CONFIG = {
     "content_security_policy": {
-        "default-src": ["'self'"],
-        "img-src": ["'self'", "blob:", "data:"],
+        "default-src": [
+            "'self'", 
+            "https://*.clarity.ms", 
+            "https://c.bing.com",
+            "'unsafe-inline'",
+        ],
+        "img-src": [
+            "'self'",
+            "blob:",
+            "data:",
+            "https://*.clarity.ms",
+            "https://c.bing.com",
+        ],
         "worker-src": ["'self'", "blob:"],
         "connect-src": [
             "'self'",
             "https://api.mapbox.com",
             "https://events.mapbox.com",
+            "https://*.clarity.ms",
+            "https://c.bing.com",
         ],
         "object-src": "'none'",
         "style-src": [
             "'self'",
             "'unsafe-inline'",
         ],
-        "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+        "script-src": [
+            "'self'", 
+            "'strict-dynamic'", 
+            "https://*.clarity.ms", 
+            "'unsafe-inline'",
+            "'unsafe-eval'"
+        ],
     },
     "content_security_policy_nonce_in": ["script-src"],
     "force_https": False,

diff --git a/superset/templates/superset/basic.html b/superset/templates/superset/basic.html
@@ -70,7 +70,7 @@
       value="{{ csrf_token() if csrf_token else '' }}"
     >
 
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ csp_nonce() }}">
       (function(c,l,a,r,i,t,y){
           c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};
           t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i;