chore: Enable CSP by default

[kgabryje]

SUMMARY

This PR enables TALISMAN_ENABLED by default and provides a default content security policy config.
Please keep in mind that this is a breaking change. If your Superset deployment loads additional scripts, loads images from external domains, performs HTTP requests to external domains, you need to adjust the default CSP config by adding external origins to appropriate CSP directives and/or mark the scripts with nonce as described in the updated docs.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[kgabryje]

Calling new Function() breaks the CSP rule that disallows using eval in scripts.
Extending Function is a nice hack that let's us make a class instance (in most cases it's a formatter) callable - for example instead of calling formatter.format(value) we call formatter(value). Removing super() does not break that behaviour while also letting us avoid calling Function constructor.

[codecov]

Codecov Report

Merging #24262 (857950f) into master (3e76736) will increase coverage by 0.05%.
The diff coverage is 87.80%.

❗ Current head 857950f differs from pull request most recent head 37698f2. Consider uploading reports for the commit 37698f2 to get more accurate results

@@            Coverage Diff             @@
##           master   #24262      +/-   ##
==========================================
+ Coverage   68.91%   68.97%   +0.05%     
==========================================
  Files        1899     1901       +2     
  Lines       73843    73969     +126     
  Branches     8119     8119              
==========================================
+ Hits        50892    51019     +127     
+ Misses      20840    20839       -1     
  Partials     2111     2111              

Flag	Coverage Δ
hive	53.90% <47.56%> (+<0.01%)	⬆️
javascript	55.65% <ø> (-0.01%)	⬇️
mysql	?
postgres	79.48% <87.80%> (+0.16%)	⬆️
presto	53.81% <47.56%> (+<0.01%)	⬆️
python	83.37% <87.80%> (+0.06%)	⬆️
sqlite	?
unit	54.59% <43.29%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
.../superset-ui-core/src/models/ExtensibleFunction.ts	100.00% <ø> (ø)
superset/tasks/cache.py	59.34% <48.64%> (-1.81%)	⬇️
superset/charts/commands/warm_up_cache.py	97.50% <97.50%> (ø)
superset/charts/api.py	87.78% <100.00%> (+0.70%)	⬆️
superset/charts/commands/exceptions.py	94.00% <100.00%> (+0.38%)	⬆️
superset/charts/schemas.py	99.38% <100.00%> (+0.01%)	⬆️
superset/config.py	92.00% <100.00%> (+0.02%)	⬆️
superset/datasets/api.py	88.65% <100.00%> (+0.70%)	⬆️
superset/datasets/commands/exceptions.py	94.36% <100.00%> (+0.24%)	⬆️
superset/datasets/commands/warm_up_cache.py	100.00% <100.00%> (ø)
... and 2 more

... and 13 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[sfirke]

Two things re: docs changes:

1. Typo: "Superset needs both style-src unsafe-inline CSP directive in order to operate." should be "Superset needs the ..."
2. Changing force_https to now default to False seems good to me. But it means that this section on the Security page "Other Talisman security considerations" needs to be updated. For instance right now there's text talking about how to override the default value of force_https = True.

[kgabryje]

Well spotted @sfirke, thank you!

[dpgaspar]

LGTM

[eschutho]

@kgabryje curious why this force_https change?

[kgabryje]

I wanted to limit the scope of the changes in this PR just to CSP - and force_https was disabled by default so far (since Talisman was disabled by default)

[villebro]

I agree with keeping this disabled by default - I would wager that by far the majority of prod Superset deployments terminate SSL/TLS on the LB.

[eschutho]

LGTM, i just left one question. Thanks @kgabryje!

[villebro]

Looks great! One honest question and one potential improvement idea, LMKWYT?

[villebro]

I agree with keeping this disabled by default - I would wager that by far the majority of prod Superset deployments terminate SSL/TLS on the LB.

[villebro]

shouldn't we set force_https: False here, too? AFAIK it defaults to True, right?

[kgabryje]

Yup nice catch!

[villebro]

I'm wondering if it's a good idea to have separate dev and non-dev configs. Should these maybe be TALISMAN_DEFAULT_DEV_CONFIG and TALISMAN_DEFAULT_PROD_CONFIG, and only if TALISMAN_CONFIG is undefined would we fall back to the default. Thoughts?

[kgabryje]

We must have "unsafe-eval" in dev mode - React and Webpack use it and there's no way around it

[villebro]

LGTM