rusackas opened a new pull request, #40629: URL: https://github.com/apache/superset/pull/40629
### SUMMARY The embedded dashboard page previously had its postMessage origin check commented out, so the page would set up the `MessagePort`/Switchboard handshake in response to a message from any origin. This change makes the embedded page enforce the dashboard's configured **Allowed Domains** for incoming `postMessage` events. How it works: - **Backend** (`superset/embedded/view.py`): the server-rendered embedded view already loads the `EmbeddedDashboard` and validates the request referrer against `allowed_domains`. We now also include `allowed_domains` in the `embedded` bootstrap payload so the frontend can perform the same check on message origins. This reuses the existing `EmbeddedDashboard.allowed_domains` property and the existing JSON serialization path. - **Frontend** (`superset-frontend/src/embedded/index.tsx` + new `originValidation.ts`): `validateMessageEvent` now validates `event.origin` against the bootstrap-provided allowed domains before processing the message. The origin/type-validation logic was extracted into `originValidation.ts` so it can be unit tested without executing the page's module-level side effects. The obsolete commented-out `ALLOW_ORIGINS` code was removed. **Back-compatibility (important):** enforcement is opt-in by configuration and matches the existing backend referrer semantics — an empty (or undefined) Allowed Domains list means *any* origin is accepted. So embeds that did not configure Allowed Domains see **no behavior change**. Only when the list is non-empty is the origin restricted to the listed domains (mismatches are ignored with a `console.warn`). Guest-token issuance and all other embedding logic are unchanged; this only affects the postMessage origin gate. A matching note was added to `UPDATING.md` under the unreleased "Next" section. This touches both the backend bootstrap payload and the frontend message handler. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A (no UI changes). ### TESTING INSTRUCTIONS - Frontend unit tests: `cd superset-frontend && npx jest src/embedded` — covers empty/undefined list allowing any origin, listed origin allowed, and unlisted origin rejected. - Backend: `pytest tests/integration_tests/embedded/test_view.py` — asserts the bootstrap payload includes `allowed_domains` (empty and configured cases). - Manual: embed a dashboard with Allowed Domains configured; messages from a non-listed origin are ignored (the dashboard does not initialize from that parent), while a listed origin works as before. With no Allowed Domains set, behavior is unchanged. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [x] Required feature flags: `EMBEDDED_SUPERSET` - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
