superset
superset copied to clipboard
apache
HTTP_HEADERS DEAFAULT_HTTP_HEADERS and OVERRIDE_HTTP_HEADERS seem not to have any effect
A clear and concise description of what the bug is.
How to reproduce the bug
We have such config in superset_config.py
HTTP_HEADERS = {
"X-Frame-Options": "ALLOW-FROM *",
"x-frame-options": "ALLOW-FROM *",
"Content-Security-Policy": "frame-ancestors http://* https://*",
"content-security-policy": "frame-ancestors http://* https://*"
}
DEFAULT_HTTP_HEADERS = {
"X-Frame-Options": "ALLOW-FROM *",
"x-frame-options": "ALLOW-FROM *",
"Content-Security-Policy": "frame-ancestors http://* https://*",
"content-security-policy": "frame-ancestors http://* https://*"
}
OVERRIDE_HTTP_HEADERS = {
"X-Frame-Options": "ALLOW-FROM *",
"x-frame-options": "ALLOW-FROM *",
"Content-Security-Policy": "frame-ancestors http://* https://*",
"content-security-policy": "frame-ancestors http://* https://*"
}
but once a dashboard is embedded in an iframe, the client keeps getting x-frame-options: SOMEORIGIN
Expected results
I was expecting to override x-frame-options header
Actual results
The client keeps receiving x-frame-options: SOMEORIGIN
what is the right way to remove this limitation?
@giacomochiarella, the issue might be due to Enable CSP by default. I was facing the same issue but after I set
TALISMAN_ENABLED = False
in superset_config.py I was able to get the embed working.
I did the same and it worked. But I've read no where how HTTP headers configuration and Talisman work together
I wonder if there is a proxy sitting in front of your superset? If there is one, you need to make sure your proxy does not have anything special in X-Frame-Options: "". This is just a syntax to remove X-Frame-Options for Traefik, which is the proxy I'm using.
Wrote a guide on it, hopefully, it helps someone 😄 Choose your preferred media 😝
https://huamichaelchen.substack.com/p/end-to-end-example-of-setting-up
https://medium.com/@huamichaelchen/end-to-end-example-of-setting-up-superset-embedded-dashboard-f72fc985559
Same result with this config :
TALISMAN_ENABLED = False SESSION_COOKIE_SAMESITE = None ENABLE_PROXY_FIX = True PUBLIC_ROLE_LIKE_GAMMA = True FEATURE_FLAGS = { "EMBEDDED_SUPERSET": True } SQLALCHEMY_DATABASE_URI = 'postgresql://postgres:postgres@db:5432/superset'
HTTP_HEADERS = {'X-Frame-Options': 'ALLOWALL'}
CORS_OPTIONS = { 'supports_credentials': True, 'allow_headers': [''], 'resources':[''], 'origins': ['*'] }
When trying to embed the dashboard, the response header is always with x-frame-options=SAMEORIGIN, meaning the HTTP server does not allow embedding frames.
My superset is deployed at localhost (no proxy) with docker-compose
Perhaps a guniicorn setting to change ?
Same here with google cloud load balancer and k8s. balancer with https and internal traffic with http.
reference post: https://medium.com/@huamichaelchen/end-to-end-example-of-setting-up-superset-embedded-dashboard-f72fc985559
I tried with TALISMAN_ENABLED = False and got same error. 403 and refused to display in a frame because it set 'X-Frame-Options' to 'sameorigin'. User has proper permissions.
my helm values override:
configOverrides:
my_override: |
SESSION_COOKIE_SAMESITE = 'Lax'
SESSION_COOKIE_SECURE = True
ENABLE_PROXY_FIX = True
CORS_OPTIONS = {
'supports_credentials': True,
'allow_headers': ['*'],
'resources': ['*'],
'origins': ['*']
}
FEATURE_FLAGS = {
"DASHBOARD_RBAC": True,
"EMBEDDABLE_CHARTS": True,
"EMBEDDED_SUPERSET": True,
"ENABLE_TEMPLATE_PROCESSING": True,
"LISTVIEWS_DEFAULT_CARD_VIEW": True
}
HTTP_HEADERS={"X-Frame-Options":"", "Content-Security-Policy": "frame-ancestors *"}
from flask_appbuilder.security.manager import AUTH_DB
AUTH_TYPE = AUTH_DB
AUTH_ROLE_ADMIN = 'Admin'
AUTH_USER_REGISTRATION = False
@giacomochiarella, the issue might be due to Enable CSP by default. I was facing the same issue but after I set
TALISMAN_ENABLED = Falsein superset_config.py I was able to get the embed working.
Thanks, it worked for me. Superset version apache/superset:3.0.2rc1 and embedded in Angular
That is my config
TALISMAN_ENABLED = False
ENABLE_CORS = True
#HTTP_HEADERS={}
WTF_CSRF_ENABLED=False
CORS_OPTIONS = {
"supports_credentials": True,
"allow_headers": "*",
"expose_headers": "*",
"resources": "*",
"origins": "*"
}
Feeling a bit lost here, but is the situation effectively solved, then? Is there anything that ought to be added to the docs to help others in the future?
@giacomochiarella, the issue might be due to Enable CSP by default. I was facing the same issue but after I set
TALISMAN_ENABLED = Falsein superset_config.py I was able to get the embed working.
Thanks, it worked for me but now I have another error: POST http://localhost:8088/api/v1/chart/data 403 (FORBIDDEN). I tried to find any solution but no luck still. I hope someone know something about it
~~I'm using Caddy as my reverse proxy, and have tried all of these options without success.~~
~~Additionally, I've tried configuring CORS with CORS_OPTIONS: dict[Any, Any] = {'origins': ['*']} without luck.~~
~~When I inspect the frame, I see that the server is listed as gunicorn and the X-Frame-Options are set to SAMEORIGIN. This holds true no matter what options I change.~~
~~I've researched and haven't seen a way to configure gunicorn that coincides with what superset offers (I never found a config). I've tried playing with the flask settings that I saw on another forum, but still no luck.~~
~~Any thoughts?~~
Edit: I fixed it. I was running docker exec -it superset_app superset init instead of restarting the docker container. I restarted the container, it broke lots of things, then I reset everything to factory settings.
I modified the config to say TALISMAN=False and restarted and it worked as expected.
