Describe the bug
The visual lineage toolbar has a Screenshot button that exports the graph as a PNG. It builds a data:image/png;base64,... URI and loads it into an <img>, but the frontend's default Content-Security-Policy has img-src *. Per the CSP spec, * does not match non-network schemes such as data:, so the browser blocks the image and the button silently does nothing. The same CSP already allows data: in script-src and font-src — img-src appears to be an oversight. The CSP was introduced in #17277.
To Reproduce
Steps to reproduce the behavior:
- Open a dataset's Lineage (visual) view.
- Click the Screenshot button in the toolbar.
- Observe that nothing is downloaded.
- Open the browser console and see the CSP violation:
Loading the image 'data:image/png;base64,iVBORw0KGgo...' violates the following
Content Security Policy directive: "img-src *". Note that '*' matches only URLs with
network schemes ('http', 'https', 'ws', 'wss')... The scheme 'data:' must be added
explicitly. The action has been blocked.
Expected behavior
Clicking Screenshot exports/downloads the lineage graph as a PNG. The frontend CSP should allow data: in img-src (e.g. img-src * data:), consistent with how script-src and font-src already include data:.
Screenshots
N/A (console error quoted above).
Desktop (please complete the following information):
- OS: macOS
- Browser: Chrome
- Version: 149.0.7827.115 (Official Build) (arm64)
Additional context
- DataHub v1.6.0 (Helm chart
datahub 1.0.1), OSS self-hosted.
- Served CSP header from the frontend:
frame-src *; base-uri 'self' https: http:; script-src 'unsafe-inline' 'unsafe-eval' https: http: data:; img-src *; worker-src * blob:; default-src *; object-src *; manifest-src *; frame-ancestors *; font-src * data:; connect-src *; style-src 'unsafe-inline' https: http:
- Workaround: override the CSP response header at the reverse proxy / ingress to add
data: to img-src.
Describe the bug
The visual lineage toolbar has a Screenshot button that exports the graph as a PNG. It builds a
data:image/png;base64,...URI and loads it into an<img>, but the frontend's default Content-Security-Policy hasimg-src *. Per the CSP spec,*does not match non-network schemes such asdata:, so the browser blocks the image and the button silently does nothing. The same CSP already allowsdata:inscript-srcandfont-src—img-srcappears to be an oversight. The CSP was introduced in #17277.To Reproduce
Steps to reproduce the behavior:
Expected behavior
Clicking Screenshot exports/downloads the lineage graph as a PNG. The frontend CSP should allow
data:inimg-src(e.g.img-src * data:), consistent with howscript-srcandfont-srcalready includedata:.Screenshots
N/A (console error quoted above).
Desktop (please complete the following information):
Additional context
datahub1.0.1), OSS self-hosted.data:toimg-src.