loretoparisi opened a new issue, #27376: URL: https://github.com/apache/superset/issues/27376
### Bug description I cannot force the embedded chart to sent the `Cross-Origin-Resource-Policy` header. I have set the CORS options and embedding parameters for iframe embedding as well as Cookie and CSP policy. Superset is hosted at `localhost:8088` while I'm embedding charts at `localhost:9000`. I have followed the configuraiton of Flask `CORS_OPTIONS` [here](https://github.com/apache/superset/issues/20425), but I cannot get rid of sending the right headers from the embedded chart. This is my `superset_config.py` ```python # CORS OPTIONS ENABLE_CORS = True CORS_OPTIONS = { 'supports_credentials': True, 'allow_headers': ['*'], 'resources':['*'], 'origins': [ 'http://localhost:9000', 'http://localhost:8088'] } SUPERSET_FEATURE_EMBEDDED_SUPERSET=True # EMBED CODE IFRAME OPTIONS OVERRIDE_HTTP_HEADERS = {'X-Frame-Options': 'ALLOWALL'} HTTP_HEADERS = {"X-Frame-Options":"ALLOWALL"} SUPERSET_WEBSERVER_DOMAINS = [ 'localhost', 'localhost:8088', 'localhost:9000'] # SESSION_COOKIE_DOMAIN # (default: "Lax") Prevents the browser from sending this cookie along with cross-site requests. SESSION_COOKIE_SAMESITE = "None" # (default: False): Controls if cookies should be set with the HttpOnly flag. SESSION_COOKIE_HTTPONLY = False # (default: False) Browsers will only send cookies with requests over HTTPS if the cookie is marked “secure”. # The application must be served over HTTPS for this to make sense. SESSION_COOKIE_SECURE = False #CSRF_COOKIE_HTTPONLY = False WTF_CSRF_ENABLED = False # TALISMAN_ENABLED defaults to True; set this to False in order to disable CSP # @see https://superset.apache.org/docs/security/#csp-requirements TALISMAN_ENABLED = False # you grant public role the same set of permissions as for the GAMMA role. # This is useful if one wants to enable anonymous users to view dashboards. # @see https://apache-superset.readthedocs.io/en/0.35.1/security.html PUBLIC_ROLE_LIKE_GAMMA = False # For environments where CSP policies are defined outside of Superset using other software, administrators can disable this warning CONTENT_SECURITY_POLICY_WARNING = False ``` and the iframe was ```html <iframe width="600" height="400" seamless frameBorder="0" allowfullscreen scrolling="no" src="http://localhost:8088/superset/explore/p/a8yN1wGMobp/?standalone=1&height=400&show_filters=true&expand_filters=true"; > </iframe> ``` while the python server serving that iframe is ```python #!/usr/bin/env python3 from http.server import HTTPServer, SimpleHTTPRequestHandler, test import sys class CORSRequestHandler (SimpleHTTPRequestHandler): def end_headers (self): """ Cross-Origin-Resource-Policy: cross-origin if the resource is served from another location than your website. ⚠️If you set this header, any website can embed this resource. Cross-Origin-Resource-Policy: same-site if the resource and your site are served from the same site. Cross-Origin-Embedder-Policy: credentialless instead of require-corp. It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies. """ self.send_header('Cross-Origin-Embedder-Policy', 'credentialless') #require-corp self.send_header('Cross-Origin-Opener-Policy', 'cross-origin') #same-origin self.send_header('Cross-Origin-Resource-Policy', ' cross-origin') self.send_header('X-Frame-Options', 'allow-from *') self.send_header("Access-Control-Allow-Origin", "*") SimpleHTTPRequestHandler.end_headers(self) test(CORSRequestHandler, HTTPServer, port=int(sys.argv[1]) if len(sys.argv) > 1 else 8000) ``` ### How to reproduce the bug 1. Copy the `superset_config.py` provided above 2. Copy the `html` code above in a `embed.html` page 3. Create a `cors.py` python code 4. execute `python cors.py 9000` to serve the embedded chart ### Screenshots/recordings The Chrome error was ``` Specify a Cross-Origin Resource Policy to prevent a resource from being blocked Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each resource must specify a suitable Cross-Origin Resource Policy (CORP). This behavior prevents a document from loading cross-origin resources which don’t explicitly grant permission to be loaded. To solve this, add the following to the resource’ response header: Cross-Origin-Resource-Policy: same-site if the resource and your site are served from the same site. Cross-Origin-Resource-Policy: cross-origin if the resource is served from another location than your website. ⚠️If you set this header, any website can embed this resource. Alternatively, the document can use the variant: Cross-Origin-Embedder-Policy: credentialless instead of require-corp. It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies. ``` ### Superset version master / latest-dev ### Python version 3.9 ### Node version 18 or greater ### Browser Chrome ### Additional context _No response_ ### Checklist - [X] I have searched Superset docs and Slack and didn't find a solution to my problem. - [X] I have searched the GitHub issue tracker and didn't find a similar bug report. - [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
