Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deck.gl Scatterplot JAVASCRIPT TOOLTIP GENERATOR tooltip no longer working in version 1.4.0 and above #18696

Open
3 tasks done
xtengx opened this issue Feb 13, 2022 · 11 comments
Labels
#bug:regression Bugs that are identified as regessions #bug Bug report viz:charts:deck.gl Related to deck.gl charts viz:charts Namespace | Anything related to viz types

Comments

@xtengx
Copy link

xtengx commented Feb 13, 2022

A clear and concise description of what the bug is.

How to reproduce the bug

  1. Create deck.gl scatter plot
  2. Create JAVASCRIPT TOOLTIP GENERATOR tooltip i.e. d => TEST</br>;
  3. Hover over dot in plot
  4. See error

Expected results

Tooltip should show "TEST"

Actual results

"Unexpected error
An error occurred while rendering the visualization: Error: Minified React error #31; visit https://reactjs.org/docs/error-decoder.html?invariant=31&args[]=TypeError%3A%20r(...).runInNewContext%20is%20not%20a%20function&args[]= for the full message or use the non-minified dev environment for full errors and additional helpful warnings.

See more"

Screenshots

If applicable, add screenshots to help explain your problem.
image

Environment

(please complete the following information):

  • browser type and version:
  • superset version: superset version
  • python version: python --version
  • node.js version: node -v
  • any feature flags active:

Checklist

Make sure to follow these steps before submitting your issue - thank you!

  • I have checked the superset logs for python stacktraces and included it here as text if there are any.
  • I have reproduced the issue with at least the latest released version of superset.
  • I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.

@xtengx xtengx added the #bug Bug report label Feb 13, 2022
@zhaoyongjie zhaoyongjie added validation:required A committer should validate the issue viz:charts:deck.gl Related to deck.gl charts labels Feb 14, 2022
@villebro villebro added #bug:regression Bugs that are identified as regessions and removed validation:required A committer should validate the issue labels Feb 16, 2022
@villebro
Copy link
Member

I was able to reproduce this problem. I also noticed that the Path example chart is broken, but works if the "JAVASCRIPT DATA INTERCEPTOR" is disabled.

Original:
image

With removed interceptor:
image

@chanyou0311
Copy link

I have same problem. It seems to be caused by upgrading webpack to version 5 without resolving configurations.
I've create PR. I hope to fix your problem by this changes!
#19059

@rusackas
Copy link
Member

Since the PR is merged and the thread has gone quiet for upward of a year, I'll optimistically mark this as closed. Happy to re-open if this is still an issue in 2.0.x

@DataMinerR
Copy link

DataMinerR commented Aug 6, 2023

Hello @rusackas ,

this IS unfortunately still an issue in 2.1.0. I get the same error.

It would be great, if this could be solved.

BR

@rusackas rusackas reopened this Aug 8, 2023
@DataMinerR
Copy link

Dear @rusackas ,

do we have any update on this issue?

Thank you!

@rusackas
Copy link
Member

rusackas commented Sep 29, 2023

do we have any update on this issue?

Nope... based on the PRs merged in this thread, I previously thought it was a solved problem. If it's an issue still, I personally think we should open up a fresh Issue including repro steps, displayed errors, and known incompatible versions. This issue is just a little unclear to me.

On the other hand, this feature is questionable in terms of security - I have half a mind to deprecate it and replace it entirely with something new. If anyone has an interest in that effort, we should talk on Slack.

@DataMinerR
Copy link

Hello @rusackas ,

thank you for the update!

I wonder if there is any way to turn the tooltip completely off? Because right now it is showing the wrong thing when hovered over the map...

@DataMinerR
Copy link

Hello @rusackas ,

would you be so kind and have a look at my question at stackoverflow?

https://stackoverflow.com/questions/77404016/turn-off-deck-gl-tooltip-in-superset

Thanks & BR

@JohnDietrich-Pepper
Copy link

This is still an issue in 3.0 . Really need some way to customize tooltips...

@rusackas
Copy link
Member

rusackas commented Feb 1, 2024

This feature is a known XSS concern, and is likely due for deprecation, honestly. I intend to propose that for 5.0 (having missed the 4.0 proposals window). I think we should move to a different means of templatizing tooltips (e.g. handlebars/jinja) that can be applicable to more chart types, including replacing these problematic ones for DeckGL. If anyone has an interest in pursuing this SIP, please join SIP Office Hours or write one up!

@vin01
Copy link
Contributor

vin01 commented Apr 8, 2024

I believe (not-a-)problem here is the CSP policy from Talisman which does not allow unsafe-eval which is required for this feature and gets blocked by browser

following talisman config works:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'",
            "blob:",
            "data:",
            "https://apachesuperset.gateway.scarf.sh",
            "https://static.scarf.sh/",
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'", "'unsafe-eval'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}

Given the nature of this issue, it would be ideal to have an alternative way to templatize tooltips. However in some cases this could be acceptable risk where users can be trusted with customized JS, we could document it, at least until a better way is possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
#bug:regression Bugs that are identified as regessions #bug Bug report viz:charts:deck.gl Related to deck.gl charts viz:charts Namespace | Anything related to viz types
Projects
None yet
Development

No branches or pull requests

8 participants