Violates strict Content-Security-Policy when accessing the "Security" pages (Users, Roles, Actions, Resources, Permissions)

[zachliu]

Apache Airflow version

3.0.0

If "Other Airflow 2 version" selected, which one?

No response

What happened?

It looks like Airflow 3.0.0 requires a "relaxed" Content-Security-Policy to display the "Security" pages (Users, Roles, Actions, Resources, Permissions). because when i have frame-ancestors 'none' I got
Refused to frame 'https://my.domain.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". when trying to load any "Security" pages.

I had to allow same-origin framing (frame-ancestors 'self') in our ALB to be able to see these pages.

More discussions are in this slack thread.

What you think should happen instead?

From the discussion, this might or might not be a bug. But it was not an issue before.

How to reproduce

Set frame-ancestors 'none' in the Content-Security-Policy and access one of the "Security" pages (Users, Roles, Actions, Resources, Permissions).

Operating System

ubuntu debian

Versions of Apache Airflow Providers

No response

Deployment

Other Docker-based deployment

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[pierrejeambrun]

Are you setting this in your proxy configuration?

I had to allow same-origin framing (frame-ancestors 'self')

What is your setup to achieve that?

[zachliu]

it's configured in our aws load balancer:

EC2 > Load balancers > my-application-name > Listeners and rules > HTTPS:443 > Attributes > Edit > Add response headers drop-down > toggle Add Content Security Policy (CSP) header > update/add the frame-ancestors 'self'; object-src 'none'; upgrade-insecure-requests; block-all-mixed-content

[pierrejeambrun]

I understand.

I don’t think that the CSP should be set or configurable in AF3 itself. That should be done like you are doing at the proxy level.

I’ll double check that things are working when no CSP is configured on the proxy side, if so I will close the issue.

We had such a discussion back in AF2 that hints the same #26011

[zachliu]

we've been using frame-ancestors 'none' for a while and it didn't cause any issue in AF2
but AF2 didn't have embedded iframe right?

[pierrejeambrun]

I was able to test this with a reverse proxy (nginx), without any specific CSP, iframes are not blocked. On the other hand if I set frame-ancestors 'none', indeed iframes rendering is blocked.

Closing this one as this is not an airflow problem but a proxy configuration issue, you should be setting the appropriate CSP at the proxy level for iframes not to be blocked.

Feel free to re-open if needed.

[pierrejeambrun]

I'll add some documentation about it.

[pierrejeambrun]

#50236

[zachliu]

AF2 didn't have embedded iframe right?

@pierrejeambrun thank you. still out of curiosity, AF2 didn't have iframe?