How do I configure Content Security Policy for use of ReCaptcha?

[nickbaerdt]

Hi,

I'm using the Superset in a Docker environment and I'm trying to get the AUTH_DB registration process to work but the Google reCaptcha box does not show when I access the registration site over a URL.

Some information about my setup:

• browser type and version: Chrome Version 105.0.5195.52 (Official Build) (64-bit) - but I tried others, same thing
• superset version: Superset 2.0.0 docker image "apache/superset"
• any feature flags active:

    "DASHBOARD_RBAC": True,
    "ALERT_REPORTS": True,
    "DASHBOARD_NATIVE_FILTERS": True,
    "DASHBOARD_CROSS_FILTERS": True,
    "ENABLE_TEMPLATE_PROCESSING": True,
    "ENABLE_SCHEDULED_EMAIL_REPORTS": True,
    "EMAIL_NOTIFICATIONS": True

reCaptcha is configured correctly as far as I can say. If I access the container over localhost via port forwarding reCaptcha shows and works just fine:

When going over a URL the Content Security Policies hit and the Script cannot be loaded.
I used the different *_HTTP_HEADERS possibilities in the superset_config.py file:

OVERRIDE_HTTP_HEADERS = {"content-security-policy": "script-src 'self' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; script-src-elem 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/; default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/; "}
DEFAULT_HTTP_HEADERS = {"Content-Security-Policy": "default-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/;"}
DEFAULT_HTTP_HEADERS = {"Content-Security-Policy": "script-src-elem 'self' 'unsafe-eval' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/;"}

and these show up in all the other requests but not on this one that should fetch the reCaptcha-Script.

What am I doing wrong? Any help or push in the right direction would be appreciated

[Narender-007]

i am also getting same error.

[Narender-007]

Hello guys
i have got google recaptcha in apache superset.

Solution:
comment below code then re run docker container run the server you have got google recaptcha in registration page.

Do you want Talisman enabled?

TALISMAN_ENABLED = False

If you want Talisman, how do you want it configured??

TALISMAN_CONFIG = {
"content_security_policy": {
"default-src": ["'self'"],
"img-src": ["'self'", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'",
"https://api.mapbox.com",
"https://events.mapbox.com",
],
"object-src": "'none'",
"style-src": ["'self'", "'unsafe-inline'"],
"script-src": ["'self'", "'strict-dynamic'" ],
},
"content_security_policy_nonce_in": ["script-src"],
"force_https": False,
}

React requires eval to work correctly in dev mode

TALISMAN_DEV_CONFIG = {
"content_security_policy": {
"default-src": ["'self'"],
"img-src": ["'self'", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'",
"https://api.mapbox.com",
"https://events.mapbox.com",
],
"object-src": "'none'",
"style-src": ["'self'", "'unsafe-inline'"],
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
},
"content_security_policy_nonce_in": ["script-src"],
"force_https": False,
}

[Ayoub-BOUCHACHIA]

In the Superset frontend development environment, asset issues can be resolved by setting the following parameters to False in superset_config.py:

TALISMAN_ENABLED = False
ENABLE_ASYNC_QUERIES = False
COMPRESS_REGISTER = False
ENABLE_BUNDLE_PROCESSING = False