You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/07/21 13:01:56 UTC

[GitHub] [superset] saurabnigam opened a new issue #15819: In ingonito getting Security error when embedding dashboard in iframe

saurabnigam opened a new issue #15819:
URL: https://github.com/apache/superset/issues/15819


   In tag, 1.0.0 things worked perfectly in incognito when the dashboard is embedded as an iframe. CORS and CSRF are disabled.
   In tag 1.2.0 it gives an Unexpected error: SupersetApiError: An attempt was made to break through the security policy of the user agent.  
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] vikas-nykaa commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
vikas-nykaa commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-972710803


   @jhult after doing all changes,in firefox it is working fine
   
   <img width="1271" alt="Screenshot 2021-11-18 at 3 23 49 PM" src="https://user-images.githubusercontent.com/86848951/142392558-333aadcd-23e6-444c-b387-4d07ea239873.png">
   
   But in chrome, after login "superset/welcome" again redirecting me to /login page
    
   <img width="1435" alt="Screenshot 2021-11-18 at 3 26 48 PM" src="https://user-images.githubusercontent.com/86848951/142393129-4de27c6f-093a-4654-8b76-d92646bdc5e1.png">
   
   And in logs i am getting
   WARNING:root:Class 'werkzeug.local.LocalProxy' is not mapped
   
   Please help on this
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] saurabnigam edited a comment on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
saurabnigam edited a comment on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-886724956


   Yes, the latest version has the same issue.
   
   The dashboard is embedded using an iframe.
   parent domain: a.y.com
   superset domain: b.y.com ie domain is same, subdomain is different. Nginx is used as a reverse proxy and all headers are passed. No cors or CSRF restrictions are there. 
   
   Normally in chrome or firefox if I open this page it works. When I open this in incognito or private browsing in chrome or firefox respectively the error comes.
   
   According to my findings, Superset is trying to access browser storage for caching which is getting security issues in incognito mode due to cross-domain, but I might be wrong!
   
   Screenshot for reference. 
   ![Capture](https://user-images.githubusercontent.com/20903614/126999923-60b7709d-4004-45e9-9cb6-8bec05bee8f6.PNG)
   
   
   Let me know if more info is required
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] jhult commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
jhult commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-921903904


   Also related to #13697, #15737, and #16718.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] saurabnigam commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
saurabnigam commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-894148164


   @junlincc Do you need any more information 
   I was able to narrow down the code at which this exceptions occurs. But I don't know how to fix this. Could you guide me ?
   https://github.com/apache-superset/superset-ui/blob/4be2c55f8fcf035aee3f39f31dbd264ecda8f2c7/packages/superset-ui-core/src/connection/callApi/callApi.ts#L72


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] saurabnigam commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
saurabnigam commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-886724956


   The dashboard is embedded using an iframe.
   parent domain: a.y.com
   superset domain: b.y.com ie domain is same, subdomain is different. Nginx is used as a reverse proxy and all headers are passed. No cors or csrf restrictions are there. 
   
   Normally in chrome or firefox if I open this page it works. When I open this in incognito or private browsing in chrome or firefox respectively the error comes.
   
   According to my findings, Superset is trying to access browser storage for caching which is getting security issues in incognito mode due to cross domain, but I might be wrong!
   
   Screenshot for reference. 
   ![Capture](https://user-images.githubusercontent.com/20903614/126999923-60b7709d-4004-45e9-9cb6-8bec05bee8f6.PNG)
   
   
   Let me know if more info is required
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] pnzz7 commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
pnzz7 commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-1009128859


   semi solution / workaround for chrome: **Allow all cookies** in chrome://settings/cookies will do it. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] pnzz7 edited a comment on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
pnzz7 edited a comment on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-1009128859


   semi solution / workaround for chrome: **Allow all cookies** in [chrome://settings/cookies](chrome://settings/cookies) will do it. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] junlincc commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
junlincc commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-885330435


   can you provide more information, screenshots video etc. and verify if that;s still happening in latest master? thanks @saurabnigam 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] vikas-nykaa commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
vikas-nykaa commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-1017185969


   working fine after setting SESSION_COOKIE_SAMESITE=None 
   Because login api was not able to set cookie due to cross oriign


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] amitmiran137 closed issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
amitmiran137 closed issue #15819:
URL: https://github.com/apache/superset/issues/15819


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] saurabnigam edited a comment on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
saurabnigam edited a comment on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-894148164


   @junlincc Do you need any more information 
   I was able to narrow down the code at which this exception occurs. But I don't know how to fix this. Could you guide me ?
   
   https://github.com/apache-superset/superset-ui/blob/4be2c55f8fcf035aee3f39f31dbd264ecda8f2c7/packages/superset-ui-core/src/connection/callApi/callApi.ts#L72


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] pnzz7 edited a comment on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
pnzz7 edited a comment on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-1009128859


   semi solution / workaround for chrome: **Allow all cookies** in[ chrome://settings/cookies](chrome://settings/cookies) will do it. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] pnzz7 edited a comment on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
pnzz7 edited a comment on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-1009128859


   semi solution / workaround for chrome: **Allow all cookies** in[ chrome://settings/cookies](url) will do it. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] jhult commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
jhult commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-982766678


   @vikas-nykaa, can you compare the request and response headers between Chrome and Firefox? That might give you a clue as to what is different between the two.
   
   Also, try using an incognito (Chrome) or private (Firefox) window to ensure no cookies are interfering.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] saurabnigam commented on issue #15819: In ingonito getting Security error when embedding dashboard in iframe

Posted by GitBox <gi...@apache.org>.
saurabnigam commented on issue #15819:
URL: https://github.com/apache/superset/issues/15819#issuecomment-888610033


   @junlincc is there a way I can disable using local storage of browser for caching?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org