rusackas opened a new pull request, #40667: URL: https://github.com/apache/superset/pull/40667
### SUMMARY The embedded dashboard view (`superset/embedded/view.py`) performs `login_user(AnonymousUserMixin(), force=True)` on a GET request, gated only by an optional referrer check (`same_origin`). This adds a **`Sec-Fetch-Dest`** guard as defense-in-depth: when the browser sends the header (which page script cannot forge), the request must target an embeddable destination (`iframe`/`frame`) or a direct `document`/`empty` (fetch) load — rejecting contexts like `<img>`/`<script>`/`<object>`. An **absent** header (older browsers / non-browser clients) is allowed for backward compatibility. This is defense-in-depth only — the view grants no privileges (anonymous user; the real authorization for embedded dashboards is the guest token sent later by the host page) — but it further constrains how the page can be loaded cross-site. ### TESTING INSTRUCTIONS ``` pytest tests/integration_tests/embedded/test_view.py ``` New tests: a non-embeddable `Sec-Fetch-Dest: image` is rejected (403); `Sec-Fetch-Dest: iframe` is allowed (200). ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: EMBEDDED_SUPERSET - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
