Cached thumbnails not showing in browser due to CSP

[FiiL123]

Cached thumbnails in Redis are not being show - we get only a white placeholder.
The browser console showed an error the showing that an image blob: url could not be show because it does not comply with Content Security Policy directive: "img-src 'self' data:"

How to reproduce the bug

1. Use default talisman settings
2. Use cached thumbnails with redis
3. Access superset with cached thumbnails

Environment

• superset version: 3.0.0
• python version: 3.10.13
• kubernetes deployment
• feature flags: ALERT_REPORTS, THUMBNAILS, THUMBNAILS_SQLA_LISTENERS, ENABLE_TEMPLATE_PROCESSING, GENERIC_CHART_AXES, ALLOW_ADHOC_SUBQUERY, DASHBOARD_RBAC, EMBEDDED_SUPERSET

Checklist

• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.
• I have found a solution.

How we solved it

Firstly we tried TALISMAN_ENABLED=False flag in setting to confirm this is an issue. With CSP completely disabled thumbnails worked fine.

Next we took a look to default settings in confing.py these are currently:

TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'strict-dynamic'"],
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    }

Finally:
We added blob: to image src making it "img-src": ["'self'", "data:","blob:"] retaining all CS policies. And the thumbnails were back on!

[FiiL123]

Already solved in 3.0.1.
#25486