rusackas commented on code in PR #40629:
URL: https://github.com/apache/superset/pull/40629#discussion_r3342893420
##########
tests/integration_tests/embedded/test_view.py:
##########
@@ -48,6 +48,29 @@
uri = f"embedded/{embedded.uuid}"
response = client.get(uri)
assert response.status_code == 200
+ # The bootstrap payload exposes the (empty) allowed-domains list so the
+ # frontend can validate postMessage origins.
+ data = response.data.decode("utf-8")
+ assert "allowed_domains" in data
+
+
[email protected]("load_birth_names_dashboard_with_slices")
[email protected](
+ "superset.extensions.feature_flag_manager._feature_flags",
+ EMBEDDED_SUPERSET=True,
+)
+def test_get_embedded_dashboard_bootstrap_includes_allowed_domains(
+ client: FlaskClient[Any], # noqa: F811
+):
+ dash = db.session.query(Dashboard).filter_by(slug="births").first()
+ embedded = EmbeddedDashboardDAO.upsert(dash,
["https://allowed.example.com";])
+ db.session.flush()
+ uri = f"embedded/{embedded.uuid}"
+ response = client.get(uri, headers={"Referer":
"https://allowed.example.com"})
+ assert response.status_code == 200
+ data = response.data.decode("utf-8")
+ assert "allowed_domains" in data
+ assert "https://allowed.example.com"; in data
Review Comment:
This was a substring match in a test assertion rather than real
sanitization, but I reworked the test to parse the bootstrap JSON and assert
against the structured allowed_domains list instead of doing a raw substring
search on the rendered HTML. That clears the alert and makes the assertion
stronger.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
