superset: Error `The CSRF session token is missing` when embed superset in iframe

Error The CSRF session token is missing when embed superset in iframe

Expected results

Embed charts or dashboard in my web page via iframe

Code

<iframe
  width="1600"
  height="800"
  seamless
  frameBorder="0"
  scrolling="no"
  src="http://192.168.11.118:8088/superset/explore/?form_data=%7B%22datasource%22%3A%2212__table%22%2C%22viz_type%22%3A%22deck_path%22%2C%22slice_id%22%3A81%2C%22url_params%22%3A%7B%7D%2C%22granularity_sqla%22%3Anull%2C%22time_grain_sqla%22%3Anull%2C%22time_range%22%3A%22+%3A+%22%2C%22line_column%22%3A%22path_json%22%2C%22line_type%22%3A%22json%22%2C%22row_limit%22%3A5000%2C%22filter_nulls%22%3Atrue%2C%22adhoc_filters%22%3A%5B%5D%2C%22mapbox_style%22%3A%22mapbox%3A%2F%2Fstyles%2Fmapbox%2Flight-v9%22%2C%22viewport%22%3A%7B%22altitude%22%3A1.5%2C%22bearing%22%3A0%2C%22height%22%3A1094%2C%22latitude%22%3A37.73671752604488%2C%22longitude%22%3A-122.18885402582598%2C%22maxLatitude%22%3A85.05113%2C%22maxPitch%22%3A60%2C%22maxZoom%22%3A20%2C%22minLatitude%22%3A-85.05113%2C%22minPitch%22%3A0%2C%22minZoom%22%3A0%2C%22pitch%22%3A0%2C%22width%22%3A669%2C%22zoom%22%3A9.51847667620428%7D%2C%22color_picker%22%3A%7B%22a%22%3A1%2C%22b%22%3A135%2C%22g%22%3A122%2C%22r%22%3A0%7D%2C%22line_width%22%3A150%2C%22reverse_long_lat%22%3Afalse%2C%22autozoom%22%3Atrue%2C%22js_columns%22%3A%5B%22color%22%5D%2C%22js_data_mutator%22%3A%22data+%3D%3E+data.map%28d+%3D%3E+%28%7B%5Cn++++...d%2C%5Cn++++color%3A+colors.hexToRGB%28d.extraProps.color%29%5Cn%7D%29%29%3B%22%2C%22js_tooltip%22%3A%22%22%2C%22js_onclick_href%22%3A%22%22%7D&standalone=true&height=400"
>
</iframe>

Actual results

Access in chrome address bar

Successful access

When access my web page via iframe

Role admin When I login, Receive Error “
Bad Request

The CSRF session token is missing.
”
Role public Receive Error <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>400 Bad Request</title> <h1>Bad Request</h1> <p>The CSRF session token is missing.</p>

Screenshots

How to reproduce the bug

Launch Apache Superset in virtualenv superset run -h 0.0.0.0 -p 8088
Connect the link via iframe into another separate webpage
See error

Environment

(please complete the following information):

superset version: 0.999.0dev / master 2019-10-13
python version: 3.7.3
node.js version: v10.15.2
npm version: 5.8.0

Checklist

Make sure these boxes are checked before submitting your issue - thank you!

I have checked the superset logs for python stacktraces and included it here as text if there are any.
I have reproduced the issue with at least the latest released version of superset.
I have checked the issue tracker for the same issue and I haven’t found one similar.

Additional context

config.py setting PUBLIC_ROLE_LIKE_GAMMA = True

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 22 (3 by maintainers)

Most upvoted comments

Issue-Label Bot is automatically applying the label #bug to this issue, with a confidence of 0.79. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

+13

issue-label-bot[bot] on Oct 14, 2019

I have solved this problem. SESSION_COOKIE_SAMESITE = None # One of [None, 'Lax', 'Strict']

+11

YBLS on Oct 18, 2019

I use version 1.1.0 My way is

WTF_CSRF_ENABLED = False

+10

zhugw on May 24, 2021

I am still getting the same error even after applying all the configurations.

I have tried setting SESSION_COOKIE_SAMESITE = "None" and SESSION_COOKIE_SAMESITE = None . I am using HTTPS and I don’t want to disable CSRF. I am getting below error
"{\"errors\": [{\"message\": \"400 Bad Request: The CSRF session token is missing.\", \"error_type\": \"GENERIC_BACKEND_ERROR\", \"level\": \"error\", \"extra\": {\"issue_codes\": [{\"code\": 1011, \"message\": \"Issue 1011 - Superset encountered an unexpected error.\"}]}}]}
It is working fine when i am trying to call API from Postman. However, in the app, I keep getting the same error. I have also attached "Referer"=>"https://mydomain/api/v1/security/csrf_token/.

In the “app”, when you get the CSRF Token, it responds with a Set-Cookie header alongside the token. You need to use that same cookie when requesting the guest token.

Depending on how you’re doing the requests, if you create a “client” that does all of the requests it’ll probably store the cookies automatically. If not, you need to add the cookies in manually.

Alvie on Aug 24, 2023

Where did you set this? I’ve installed superset using pip and can’t tell where I can set that variable; thanks.

set in superset/config.py。This is flask session cookie options

YBLS on Dec 17, 2019

headersauth = { ‘Content-Type’: ‘application/json’, ‘Authorization’: f’Bearer {access_token}', ‘X-CSRFToken’: csrf_token, ‘Cookie’: set_cookie } still getting the same error {‘errors’: [{‘message’: ‘400 Bad Request: The CSRF session token is missing.’, ‘error_type’: ‘GENERIC_BACKEND_ERROR’, ‘level’: ‘error’, ‘extra’: {‘issue_codes’: [{‘code’: 1011, ‘message’: ‘Issue 1011 - Superset encountered an unexpected error.’}]}}]}

Try X-CSRF-TOKEN

Alvie on Mar 1, 2024

I have added complete blog on integration of embed superset dashboard - https://medium.com/@vishalsadriya1224/embedding-apache-superset-dashboards-in-ruby-on-rails-and-react-a-role-level-security-guide-697da01676af

vishaltps on Oct 16, 2023

Please note, its SESSION_COOKIE_SAMESITE = "None" not SESSION_COOKIE_SAMESITE = None

kakoni on Jan 4, 2022

This issue produce quiet some confusion because browsers behaviors aren’t aligned…

Actually, what I found is the following:

SESSION_COOKIE_SAMESITE = "None" # Sufficient for Firefox
SESSION_COOKIE_SECURE = True # Required for Google Chrome (at least from version 84)

This above setup is stated in a IETF proposal: Incrementally Better Cookies and was ported to my attention in this article: Cookies and Iframes.

More over, I noticed the following:

Google Chrome fail in incognito mode
Google Chrome fail if Superset is not under htts

trepmag on Jan 21, 2021

In superset 0.36 it is also necessary to set SESSION_COOKIE_HTTPONLY = False to get dashboard working (without CSRF token issue) within iframe

lilila on Mar 19, 2020