Update Slack Image URL in Talisman Configuration

[v9dev]

Bug description

Issue: Update Slack Image URL in Talisman Configuration

Description:
The current Talisman configuration in Apache Superset includes an outdated or incorrect Slack image URL:
https://avatars.slack-edge.com/, which results in an Access Denied error when trying to load Slack-related images.

At first, I thought the issue was with loading images generally, but after investigating the URL, I realized that the Slack image could not be fetched. To temporarily resolve the issue, I allowed images from any source using a wildcard (*), but this is not a good security practice.

I attempted enabling Slack thumbnails with the assumption that if it worked, I could also add my S3 bucket URL. However, since the Slack image failed to load, I used my S3 bucket instead, and it worked. Later, I found that using Slack’s CDN URL (https://cdn.brandfolder.io/) in Talisman allowed the Slack image to load successfully.

---

Proposed Fix:

1. Update the Slack image URL in TALISMAN_DEV_CONFIG to use
   https://cdn.brandfolder.io/ instead of https://avatars.slack-edge.com/.
2. Add documentation explaining how to configure Talisman for loading external images in Superset.
3. Provide guidance on securely allowing image sources (e.g., from S3 or other services) without using wildcards.

---

Steps to Reproduce:

1. Run Superset with the current TALISMAN_DEV_CONFIG.
2. Try loading a Slack-related image SLACK_ENABLE_AVATARS": True uncomment https://avatars.slack-edge.com/ in talisman.
3. Observe that the image URL (https://avatars.slack-edge.com/) returns an Access Denied error.
4. Replace the URL with https://cdn.brandfolder.io/ and confirm that the issue is resolved.

---

Expected Behavior:

• Slack images should load correctly using the updated CDN URL.
• Users should be able to configure external images (e.g., from S3) with clear documentation.
• The Talisman policy should be secure and not rely on wildcards.

---

Additional Context:

• Current problematic URL: https://avatars.slack-edge.com/
• Working URL: https://cdn.brandfolder.io/
• The issue was identified while testing Slack thumbnails and integrating S3 image hosting.

Would appreciate if this could be updated in the codebase and documented for other users who may face similar issues. Thanks! 🙌

Screenshots/recordings

Superset version

master / latest-dev

Python version

3.11

Node version

18 or greater

Browser

Chrome

Additional context

Yes I Enable the "SLACK_ENABLE_AVATARS": True,

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

To resolve the "Access Denied" error for Slack images in Apache Superset, you can update the TALISMAN_CONFIG to allow the new Slack CDN URL. Here's how you can do it:

1. Update the TALISMAN_CONFIG: Modify the img-src directive to include the new Slack CDN URL (https://cdn.brandfolder.io/). Here's an example configuration:

   TALISMAN_CONFIG = {
       "content_security_policy": {
           "base-uri": ["'self'"],
           "default-src": ["'self'"],
           "img-src": [
               "'self'",
               "blob:",
               "data:",
               "https://apachesuperset.gateway.scarf.sh",
               "https://static.scarf.sh/",
               "https://cdn.brandfolder.io/",  # Updated Slack CDN URL
               "ows.terrestris.de",
           ],
           "worker-src": ["'self'", "blob:"],
           "connect-src": [
               "'self'",
               "https://api.mapbox.com",
               "https://events.mapbox.com",
           ],
           "object-src": "'none'",
           "style-src": [
               "'self'",
               "'unsafe-inline'",
           ],
           "script-src": ["'self'", "'strict-dynamic'"],
       },
       "content_security_policy_nonce_in": ["script-src"],
       "force_https": False,
       "session_cookie_secure": False,
   }

2. Enable Slack Avatars: Ensure that SLACK_ENABLE_AVATARS is set to True in your configuration to allow Slack avatars to be fetched:

   "SLACK_ENABLE_AVATARS": True,

3. Documentation: Consider adding documentation to guide users on configuring external image sources securely, avoiding the use of wildcards.

By following these steps, you should be able to load Slack images securely without encountering the "Access Denied" error.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[v9dev]

Thank You

[rusackas]

Would you be willing to open up a quick PR to resolve this issue? I'd be happy to review/merge it.