Issues embedding dashboard in public website

Question

Issues embedding dashboard in public website

RealTun opened this issue 9 days ago · 6 comments

RealTun commented 9 days ago

Bug description

i'm using superset via

docker compose -f docker-compose-non-dev.yml up -d

I tried add to superset_config.py:

TALISMAN=False
HTTP_HEADERS = {'X-Frame-Options': 'ALLOWALL'}
PUBLIC_ROLE_LIKE = "Gamma"

So i get error:

Refused to display 'http://localhost:8088/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

I have searched Superset docs and Slack and didn't find a solution to my problem.
I have searched the GitHub issue tracker and didn't find a similar bug report.
I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Answer 1 · 2024-12-13T12:01:17.000Z

Hey @RealTun, I'm here to assist you with the issue you're facing in embedding the Superset dashboard. I can help you with bug fixes, answering questions, and even guide you on how to become a contributor. Let's tackle this together!

I found some similar discussions that might help you resolve the issue with embedding a Superset dashboard in a public website:

Embed charts with iframe without any login - This discussion suggests configuring Talisman in the config.py file to allow embedding by setting frame_options to 'ALLOWALL' and frame_options_allow_from to '*'.
Not able to embed superset in iframe - This discussion also deals with iframe embedding issues.

To resolve the 'X-Frame-Options' error, you should modify the superset_config.py file to adjust the Content Security Policy (CSP) settings using flask-talisman. Specifically, configure the frame-ancestors directive to allow your domain:

TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
        "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"],
    }
}

After making these changes, restart Superset to apply the new configuration ^[1].

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Answer 2 · 2024-12-13T12:20:28.000Z

@dosu i added:
TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
"content_security_policy": {
"frame-ancestors": [".127.0.0.1:5500", ".localhost:3000"],
}
}

but i still get same error

Answer 3 · 2024-12-13T12:22:17.000Z

Ensure that the TALISMAN_CONFIG is correctly set in your superset_config.py file and that Superset is restarted after making these changes. Additionally, verify that the X-Frame-Options header is not being set elsewhere in your configuration or by any reverse proxy or web server in front of Superset.

If the issue persists, you might want to explicitly set the X-Frame-Options header to ALLOWALL in the HTTP_HEADERS configuration:

HTTP_HEADERS = {
    'X-Frame-Options': 'ALLOWALL'
}

Make sure that TALISMAN_ENABLED is set to True and that there are no conflicting settings in your environment. After making these changes, restart Superset to ensure the new settings take effect.

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Answer 4 · 2024-12-13T12:26:01.000Z

@dosu i added it, sill get same error

TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
        "frame-ancestors": ["*.127.0.0.1:5500", "*.localhost:3000"],
    }
}
HTTP_HEADERS = {
    'X-Frame-Options': 'ALLOWALL'
}

Answer 5 · 2024-12-13T12:27:42.000Z

Ensure that there are no other configurations or middleware that might be overriding your settings. Here are a few steps to troubleshoot further:

Check for Conflicts: Make sure there are no other settings or middleware (like a reverse proxy) that might be setting the X-Frame-Options header to sameorigin.
Order of Configuration: Ensure that the TALISMAN_CONFIG and HTTP_HEADERS are correctly placed in your superset_config.py and that there are no other conflicting configurations.
Restart Superset: After making changes to the configuration, restart your Superset instance to apply the new settings.
Browser Cache: Clear your browser cache or try accessing the site in an incognito window to ensure you're not seeing cached headers.
Inspect Headers: Use browser developer tools to inspect the response headers and confirm what X-Frame-Options is being set to. This can help identify if the header is being set elsewhere.

If these steps don't resolve the issue, consider checking any web server or proxy configurations that might be affecting the headers.

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Answer 6 · 2024-12-13T16:51:06.000Z

You probably shouldn't be using docker compose for production servers. @sfirke might be able to help with some of this. Meanwhile, I'll convert this to a Discussion since it's not a bug.