GitHub user stgztsw added a comment to the discussion: The issue regarding obtaining an Embedded Token
> The CSRF token error happens because the `/api/v1/security/guest_token/` > endpoint is protected by CSRF middleware, so POST requests must include a > valid CSRF token in the headers. You can fetch the token by making a GET > request to `/api/v1/security/csrf_token/` and then include it in your POST > request headers as `X-CSRFToken` (or as a cookie, depending on your setup) > [source](https://github.com/apache/superset/discussions/31465). > > If you want to disable CSRF protection for this endpoint (for example, in > API-based embedding scenarios), you can add its identifier to the > `WTF_CSRF_EXEMPT_LIST` in your `superset_config.py` file. The identifier is > likely `'superset.security.api.guest_token'` > [source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py). > This will exempt the endpoint from CSRF checks, but be aware of the security > implications. > > For most setups, the recommended approach is to fetch the CSRF token and > include it in your request. Also, make sure the `Referer` header is set > correctly if you're using HTTPS > [source](https://github.com/apache/superset/discussions/31465). > > _To reply, just mention [@dosu](https://go.dosu.dev/dosubot)._ > > How did I do? > [Good](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=great_response) > | > [Irrelevant](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=irrelevant_answer) > | > [Incorrect](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=incorrect_sources) > | > [Verbose](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=too_verbose) > | > [Hallucination](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=hallucination) > | [Report > 🐛](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=bug_report) > | > [Other](https://app.dosu.dev/response-feedback/947b3f49-7cc6-451d-b82e-efae5c0692e4?feedback_type=other) > [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35670) Hi @dosu, thanks for your replay. Now I can get the guest_token, but when I embedded the superset with sdk. another issue "Refused to display 'http://172.19.145.51:8088/' in a frame because it set 'X-Frame-Options' to 'sameorigin'." occurs in chrome console. GitHub link: https://github.com/apache/superset/discussions/35670#discussioncomment-14694560 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
