Skip to content

Lineage "Screenshot" export blocked by frontend CSP #18007

Description

@jihonrado

Describe the bug
The visual lineage toolbar has a Screenshot button that exports the graph as a PNG. It builds a data:image/png;base64,... URI and loads it into an <img>, but the frontend's default Content-Security-Policy has img-src *. Per the CSP spec, * does not match non-network schemes such as data:, so the browser blocks the image and the button silently does nothing. The same CSP already allows data: in script-src and font-srcimg-src appears to be an oversight. The CSP was introduced in #17277.

To Reproduce
Steps to reproduce the behavior:

  1. Open a dataset's Lineage (visual) view.
  2. Click the Screenshot button in the toolbar.
  3. Observe that nothing is downloaded.
  4. Open the browser console and see the CSP violation:
Loading the image 'data:image/png;base64,iVBORw0KGgo...' violates the following
Content Security Policy directive: "img-src *". Note that '*' matches only URLs with
network schemes ('http', 'https', 'ws', 'wss')... The scheme 'data:' must be added
explicitly. The action has been blocked.

Expected behavior
Clicking Screenshot exports/downloads the lineage graph as a PNG. The frontend CSP should allow data: in img-src (e.g. img-src * data:), consistent with how script-src and font-src already include data:.

Screenshots
N/A (console error quoted above).

Desktop (please complete the following information):

  • OS: macOS
  • Browser: Chrome
  • Version: 149.0.7827.115 (Official Build) (arm64)

Additional context

  • DataHub v1.6.0 (Helm chart datahub 1.0.1), OSS self-hosted.
  • Served CSP header from the frontend:
frame-src *; base-uri 'self' https: http:; script-src 'unsafe-inline' 'unsafe-eval' https: http: data:; img-src *; worker-src * blob:; default-src *; object-src *; manifest-src *; frame-ancestors *; font-src * data:; connect-src *; style-src 'unsafe-inline' https: http:
  • Workaround: override the CSP response header at the reverse proxy / ingress to add data: to img-src.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugBug report

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions