kgabryje commented on code in PR #41004:
URL: https://github.com/apache/superset/pull/41004#discussion_r3414804825
##########
superset-frontend/src/components/StreamingExportModal/useStreamingExport.ts:
##########
@@ -95,17 +98,25 @@ const createFetchRequest = async (
payload: StreamingExportPayload,
filename: string | undefined,
_exportType: string,
+ exportSource: StreamingExportSource | undefined,
expectedRows: number | undefined,
signal: AbortSignal,
): Promise<RequestInit> => {
const headers: Record<string, string> = {
'Content-Type': 'application/x-www-form-urlencoded',
};
- // Get CSRF token using SupersetClient
- const csrfToken = await SupersetClient.getCSRFToken();
- if (csrfToken) {
- headers['X-CSRFToken'] = csrfToken;
+ const guestToken = SupersetClient.getGuestToken();
+ const isGuestTokenChartExport =
+ Boolean(guestToken) &&
+ exportSource === 'chart' &&
+ !('client_id' in payload);
+
+ if (!isGuestTokenChartExport) {
Review Comment:
Non-blocking suggestion: could you add a short comment here documenting the
security invariant behind skipping CSRF?
This path is safe because embedded guest sessions can’t fetch
`/api/v1/security/csrf_token/`, and `/api/v1/chart/data` is already CSRF-exempt
server-side (`WTF_CSRF_EXEMPT_LIST`) while guest auth is carried in the
`guest_token` form field. Since that’s a cross-layer coupling, an inline note
would make future CSRF hardening/refactors less likely to regress embedded
exports.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
