apache
"Blocked script execution" in security/users page
Apache Airflow version
3.0.0
If "Other Airflow 2 version" selected, which one?
No response
What happened?
When you use the Flask Appbuilder for security, the security/users page doesn't have 'allow-scripts', so none of the buttons work: https://github.com/apache/airflow/blob/d66a1e5b8dfd349ad99ef9b1cf125262d6db3d57/airflow-core/src/airflow/ui/src/pages/Security.tsx#L49,
What you think should happen instead?
This is the error, it shouldn't block: Blocked script execution in '<URL>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
How to reproduce
use FabAuthManager as the auth manage with AUTH_REMOTE_USER
Operating System
airflow:3.0.0 docker image
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else?
No response
Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
![boring-cyborg[bot] avatar](https://avatars.githubusercontent.com/in/50386?v=4 "Published by a pub.dev verified publisher"){kind=small}
CC @vincbeck / @pierrejeambrun.
Maybe we should add the 'allow-scripts', but it should be only for trusted domains
@kevinhongzl Thanks for showing interest in this. I just assigned you :)
This was discussed in https://github.com/apache/airflow/issues/49895 and is part of our documentation. CSP should be set at the proxy level, that is up to you to set the appropriate one. Closing
edit: We are still missing allowing the allow-scripts. solved in https://github.com/apache/airflow/pull/52257 reopening