Incubator-superset: Error `The CSRF session token is missing` when embed superset in iframe
Error The CSRF session token is missing when embed superset in iframe
Expected results
Embed charts or dashboard in my web page via iframe
Code
<iframe
width="1600"
height="800"
seamless
frameBorder="0"
scrolling="no"
src="http://192.168.11.118:8088/superset/explore/?form_data=%7B%22datasource%22%3A%2212__table%22%2C%22viz_type%22%3A%22deck_path%22%2C%22slice_id%22%3A81%2C%22url_params%22%3A%7B%7D%2C%22granularity_sqla%22%3Anull%2C%22time_grain_sqla%22%3Anull%2C%22time_range%22%3A%22+%3A+%22%2C%22line_column%22%3A%22path_json%22%2C%22line_type%22%3A%22json%22%2C%22row_limit%22%3A5000%2C%22filter_nulls%22%3Atrue%2C%22adhoc_filters%22%3A%5B%5D%2C%22mapbox_style%22%3A%22mapbox%3A%2F%2Fstyles%2Fmapbox%2Flight-v9%22%2C%22viewport%22%3A%7B%22altitude%22%3A1.5%2C%22bearing%22%3A0%2C%22height%22%3A1094%2C%22latitude%22%3A37.73671752604488%2C%22longitude%22%3A-122.18885402582598%2C%22maxLatitude%22%3A85.05113%2C%22maxPitch%22%3A60%2C%22maxZoom%22%3A20%2C%22minLatitude%22%3A-85.05113%2C%22minPitch%22%3A0%2C%22minZoom%22%3A0%2C%22pitch%22%3A0%2C%22width%22%3A669%2C%22zoom%22%3A9.51847667620428%7D%2C%22color_picker%22%3A%7B%22a%22%3A1%2C%22b%22%3A135%2C%22g%22%3A122%2C%22r%22%3A0%7D%2C%22line_width%22%3A150%2C%22reverse_long_lat%22%3Afalse%2C%22autozoom%22%3Atrue%2C%22js_columns%22%3A%5B%22color%22%5D%2C%22js_data_mutator%22%3A%22data+%3D%3E+data.map%28d+%3D%3E+%28%7B%5Cn++++...d%2C%5Cn++++color%3A+colors.hexToRGB%28d.extraProps.color%29%5Cn%7D%29%29%3B%22%2C%22js_tooltip%22%3A%22%22%2C%22js_onclick_href%22%3A%22%22%7D&standalone=true&height=400"
>
</iframe>
Actual results
Access in chrome address bar
Successful access
When access my web page via iframe
- Role
admin
When I login, Receive Error "Bad Request
The CSRF session token is missing.
" - Role
public
Receive Error<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>400 Bad Request</title> <h1>Bad Request</h1> <p>The CSRF session token is missing.</p>
Screenshots
How to reproduce the bug
- Launch Apache Superset in virtualenv
superset run -h 0.0.0.0 -p 8088 - Connect the link via iframe into another separate webpage
- See error
Environment
(please complete the following information):
- superset version:
0.999.0dev / master 2019-10-13 - python version:
3.7.3 - node.js version:
v10.15.2 - npm version:
5.8.0
Checklist
Make sure these boxes are checked before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
- [x] I have reproduced the issue with at least the latest released version of superset.
- [x] I have checked the issue tracker for the same issue and I haven't found one similar.
Additional context
config.py setting
PUBLIC_ROLE_LIKE_GAMMA = True
YBLS
All 5 comments
Issue-Label Bot is automatically applying the label #bug to this issue, with a confidence of 0.79. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!
Links: app homepage, dashboard and code for this bot.
![issue-label-bot[bot] picture](https://avatars2.githubusercontent.com/in/27079?v=4&s=40)
issue-label-bot[bot]
on 14 Oct 2019
I have solved this problem.
SESSION_COOKIE_SAMESITE = None # One of [None, 'Lax', 'Strict']
YBLS
on 18 Oct 2019
Where did you set this? I've installed superset using pip and can't tell where I can set that variable; thanks.
andrewmusselman
on 17 Dec 2019
Where did you set this? I've installed superset using pip and can't tell where I can set that variable; thanks.
set in superset/config.py銆俆his is flask session cookie options
YBLS
on 17 Dec 2019
In superset 0.36 it is also necessary to set
SESSION_COOKIE_HTTPONLY = False
to get dashboard working (without CSRF token issue) within iframe
lilila
on 19 Mar 2020
Related issues
josephtyler
路
3Comments
gbrian
路
3Comments
eliab
路
3Comments
XiaodiKong
路
3Comments
thoralf-gutierrez
路
3Comments
Most helpful comment
I have solved this problem.
SESSION_COOKIE_SAMESITE = None # One of [None, 'Lax', 'Strict']