angularapache-supersettalisman

Embedding an Apache Superset Dashboards in a different origin website using Talisman (X-Frame-Option error)

I am trying to Embed an Apache Superset Dashboard on another angular app deployed on a different host using an iFrame.

The angular app tries to retrieve the dashboard but i run into an error

X-Frame-Option sameorigin does not allow the display of iFrame

My Superset configuration includes TALISMAN configuration

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'"
        ],
        "font-src": [
            "'self'"
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'"
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'"
        ],
        "script-src": [
            "'self'", 
            "'strict-dynamic'", 
            "'unsafe-inline'",
            "'unsafe-eval'"
        ],
        "frame-ancestors": [
            "'self'",
            os.getenv('BASE_URL_EXTERNAL_APP'),
        ]
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": True,
    "force_https_permanent": False,
    "session_cookie_secure": False,
}
Solution

  • The default configuration of TALISMAN sets the 'frame_options' to 'sameorigin' by default.

    the new way to specify if an iframe is allowed is to the hostname in "frame-ancestors" the old way to handle it is via frame_options

    In my understanding, browsers should ignore the frame options but that was not my experience. What i had to do is to remove the X-Frame-Option header from the response by setting the frame-options variable to None:

    TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'"
        ],
        "font-src": [
            "'self'"
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'"
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'"
        ],
        "script-src": [
            "'self'", 
            "'strict-dynamic'", 
            "'unsafe-inline'",
            "'unsafe-eval'"
        ],
        "frame-ancestors": [
            "'self'",
            os.getenv('PWA'),
        ]
    },
    "content_security_policy_nonce_in": ["script-src"],
    "frame_options": None,
    "force_https": True,
    "force_https_permanent": False,
    "session_cookie_secure": False,
}

    Since I was running apache in DEBUG mode, I also had to set this config to the DEBUG config that talisman uses in the superset_config.py

    # if Superset is in DEBUG MODE, uses same configuration
TALISMAN_DEV_CONFIG = TALISMAN_CONFIG