codeant-ai-for-open-source[bot] commented on code in PR #39300:
URL: https://github.com/apache/superset/pull/39300#discussion_r3277342973
##########
docker/pythonpath_dev/superset_config_docker_light.py:
##########
@@ -36,3 +38,32 @@
# Disable Celery entirely for lightweight mode
CELERY_CONFIG = None # type: ignore[assignment,misc]
+
+# Honor SUPERSET_FEATURE_<NAME> env vars on top of any flags inherited from
+# superset_config. Lets local dev/e2e enable features (e.g. EMBEDDED_SUPERSET)
+# without editing shipped config files. Only the literal string "true"
+# (case-insensitive) is treated as enabled — "1"/"yes"/"on" are not, matching
+# the strict-string convention used elsewhere in Superset's env parsing.
+FEATURE_FLAGS = {
+ **FEATURE_FLAGS, # noqa: F405
+ **{
+ name[len("SUPERSET_FEATURE_") :]: value.strip().lower() == "true"
+ for name, value in os.environ.items()
+ if name.startswith("SUPERSET_FEATURE_")
+ },
+}
+
+if os.environ.get("SUPERSET_FEATURE_EMBEDDED_SUPERSET", "").strip().lower() ==
"true":
+ # Disable Talisman so /embedded/<uuid> doesn't return
X-Frame-Options:SAMEORIGIN.
+ # Without this, browsers refuse to render Superset inside an iframe from a
+ # different origin (i.e. the embedded SDK use case). Production/CI
configures
+ # Talisman with explicit `frame-ancestors`; for the lightweight local
stack we
+ # just turn it off.
+ TALISMAN_ENABLED = False
Review Comment:
**Suggestion:** Disabling Talisman entirely when embedding is enabled
removes global clickjacking/CSP protections for the whole lightweight instance,
not just embedded routes. This creates an avoidable security regression; keep
Talisman enabled and configure frame-ancestors/frame options narrowly for
embedded use instead of turning the middleware off. [security]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Lightweight docker stack runs without Talisman protections.
- ⚠️ Embedded feature flag disables headers on all routes.
- ⚠️ Clickjacking/CSP defenses absent in this dev environment.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Run Superset using the lightweight docker stack that loads
`docker/pythonpath_dev/superset_config_docker_light.py` (file header at line
18 describes
it as config for `docker-compose-light.yml`).
2. Set the environment variable `SUPERSET_FEATURE_EMBEDDED_SUPERSET=true` so
the
conditional at `docker/pythonpath_dev/superset_config_docker_light.py:56-62`
executes and
overrides `TALISMAN_ENABLED = False`.
3. During startup, `SupersetAppInitializer.configure_middlewares()` in
`superset/initialization/__init__.py:902-922` reads
`self.config["TALISMAN_ENABLED"]`
(line 902 from Grep) and, because it is now `False`, skips
`talisman.init_app(self.superset_app, **talisman_config)` (line 21 of that
block), so
Flask-Talisman is not applied to the WSGI app at all.
4. Access any route in this lightweight instance (e.g., `/login` or
`/superset/dashboard`)
and inspect response headers; because Talisman is completely disabled by
this config, no
Talisman-managed CSP or X-Frame-Options protections are present for any
route, even those
unrelated to embedding, matching the concern in the suggestion.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=8f2d901ac8bc471792a3acb92befe415&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=8f2d901ac8bc471792a3acb92befe415&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** docker/pythonpath_dev/superset_config_docker_light.py
**Line:** 62:62
**Comment:**
*Security: Disabling Talisman entirely when embedding is enabled
removes global clickjacking/CSP protections for the whole lightweight instance,
not just embedded routes. This creates an avoidable security regression; keep
Talisman enabled and configure frame-ancestors/frame options narrowly for
embedded use instead of turning the middleware off.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F39300&comment_hash=8272f610ea8907bfe351e4f36f1ae21567d4fc49e21ecf96d48b2499bf7a7f23&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F39300&comment_hash=8272f610ea8907bfe351e4f36f1ae21567d4fc49e21ecf96d48b2499bf7a7f23&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
