[security] Adding Flask-Talisman

requirements.txt

@@ -4,6 +4,7 @@
 #
 #    pip-compile --output-file requirements.txt setup.py
 #
+
 alembic==1.0.0            # via flask-migrate
 amqp==2.3.2               # via kombu
 apispec[yaml]==1.2.0      # via flask-appbuilder
@@ -32,6 +33,7 @@ flask-login==0.4.1        # via flask-appbuilder
 flask-migrate==2.1.1
 flask-openid==1.2.5       # via flask-appbuilder
 flask-sqlalchemy==2.3.2   # via flask-appbuilder, flask-migrate
+flask-talisman==0.6.0
 flask-wtf==0.14.2
 flask==1.0.2
 geopy==1.11.0
@@ -70,7 +72,7 @@ requests==2.20.0
 retry==0.9.2
 selenium==3.141.0
 simplejson==3.15.0
-six==1.11.0               # via bleach, cryptography, flask-jwt-extended, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json
+six==1.11.0               # via bleach, cryptography, flask-jwt-extended, flask-talisman, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json
 sqlalchemy-utils==0.32.21
 sqlalchemy==1.3.1
 sqlparse==0.2.4

setup.py

@@ -80,6 +80,7 @@ def get_git_sha():
         'flask-appbuilder>=2.0.0, <2.3.0',
         'flask-caching',
         'flask-compress',
+        'flask-talisman',
         'flask-migrate',
         'flask-wtf',
         'geopy',

superset/__init__.py

@@ -27,6 +27,7 @@
 from flask_appbuilder.baseviews import expose
 from flask_compress import Compress
 from flask_migrate import Migrate
+from flask_talisman import Talisman
 from flask_wtf.csrf import CSRFProtect
 from werkzeug.contrib.fixers import ProxyFix
 import wtforms_json
@@ -229,6 +230,8 @@ def is_feature_enabled(feature):
 if conf.get('ENABLE_FLASK_COMPRESS'):
     Compress(app)
 
+Talisman(app, content_security_policy=None)
+
 # Hook that provides administrators a handle on the Flask APP
 # after initialization
 flask_app_mutator = app.config.get('FLASK_APP_MUTATOR')

superset/config.py

@@ -406,13 +406,9 @@ class CeleryConfig(object):
 CELERY_CONFIG = None
 """
 
-# static http headers to be served by your Superset server.
-# This header prevents iFrames from other domains and
-# "clickjacking" as a result
-HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
-# If you need to allow iframes from other domains (and are
-# aware of the risks), you can disable this header:
-# HTTP_HEADERS = {}
+# Additional static HTTP headers to be served by your Superset server. Note
+# Flask-Talisman aplies the relevant security HTTP headers.
+HTTP_HEADERS = {}
 
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None

superset/views/core.py

@@ -3014,7 +3014,7 @@ class CssTemplateAsyncModelView(CssTemplateModelView):
 
 
 @app.after_request
-def apply_caching(response):
+def apply_http_headers(response):
     """Applies the configuration's http headers to all responses"""
     for k, v in config.get('HTTP_HEADERS').items():
         response.headers[k] = v