GitHub user LiamTorrelli added a comment to the discussion: While Accessing Embedded Dashboard getting (blocked:other)
`blocked:other` on an embedded Superset dashboard is almost never one missing flag. Chrome puts iframe load failures in that bucket when something in the header stack says "this parent can't frame me." In our installs it's usually one of four things fighting each other. **1. Dashboard allow-list (easy to miss)** In the dashboard Embed modal, **Allowed Domains** must include your parent app origin exactly (scheme + host + port). Superset checks `Referer`. If the parent is `https://app.example.com` and the allow-list has `https://www.example.com`, you get a blank iframe and `blocked:other` in DevTools. Fix the dashboard metadata before chasing server config. **2. Three layers that all have to agree** You need all of these lined up for cross-origin embed: - `EMBEDDED_SUPERSET = True` in `superset_config.py` - CORS: `ENABLE_CORS = True` and `CORS_OPTIONS` with your **parent origins** listed (if you use cookies/credentials, `"*"` won't cut it — list the real host URLs) - Framing: `TALISMAN_CONFIG` with `content_security_policy` → `frame-ancestors` including the parent origin **3. Reverse proxy / nginx often wins** Even with Talisman correct, nginx or your ingress can still send `X-Frame-Options: DENY` or a stricter CSP. Open DevTools → Network → load the `/embedded/<uuid>` request inside the iframe and read **response headers** on the Superset side. If `X-Frame-Options` or `Content-Security-Policy` doesn't list your parent, that's your blocker — fix it at the proxy, not only in Python config. **4. Helm `configOverrides` = valid Python** The `SyntaxError` on `CORS_OPTIONS: |` is because that pipe block landed in `superset_config.py` as invalid Python. In Helm, `configOverrides` must end up as normal assignments, e.g.: ```python ENABLE_CORS = True CORS_OPTIONS = { "supports_credentials": True, "allow_headers": ["*"], "resources": [r"/api/v1/security/guest_token/.*", "/*"], "origins": ["https://your-parent-app.com";], } TALISMAN_ENABLED = True TALISMAN_CONFIG = { "content_security_policy": { "frame-ancestors": ["'self'", "https://your-parent-app.com";], }, } ``` Swap in your real parent URL. Restart after deploy. On flask_cors: if ENABLE_CORS = True and the container throws ModuleNotFoundError: No module named 'flask_cors', the image may be missing the dependency (see [networking settings](https://superset.apache.org/docs/configuration/networking-settings/#cors) — pre-5.x needed an explicit install). Worth checking your Superset version against what the chart ships. Related upstream thread with no resolution: https://github.com/apache/superset/issues/24078 We maintain a checklist of all nine server-side switches (CORS, Talisman, guest token, per-dashboard allow-list, and where they interact behind a proxy): https://www.drafted.work/blog/superset-embedded-sdk-guest-tokens GitHub link: https://github.com/apache/superset/discussions/32482#discussioncomment-17322040 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
