Error The CSRF session token is missing when embed superset in iframe

[YBLS]

Error The CSRF session token is missing when embed superset in iframe

Expected results

Embed charts or dashboard in my web page via iframe

Code

<iframe
  width="1600"
  height="800"
  seamless
  frameBorder="0"
  scrolling="no"
  src="http://192.168.11.118:8088/superset/explore/?form_data=%7B%22datasource%22%3A%2212__table%22%2C%22viz_type%22%3A%22deck_path%22%2C%22slice_id%22%3A81%2C%22url_params%22%3A%7B%7D%2C%22granularity_sqla%22%3Anull%2C%22time_grain_sqla%22%3Anull%2C%22time_range%22%3A%22+%3A+%22%2C%22line_column%22%3A%22path_json%22%2C%22line_type%22%3A%22json%22%2C%22row_limit%22%3A5000%2C%22filter_nulls%22%3Atrue%2C%22adhoc_filters%22%3A%5B%5D%2C%22mapbox_style%22%3A%22mapbox%3A%2F%2Fstyles%2Fmapbox%2Flight-v9%22%2C%22viewport%22%3A%7B%22altitude%22%3A1.5%2C%22bearing%22%3A0%2C%22height%22%3A1094%2C%22latitude%22%3A37.73671752604488%2C%22longitude%22%3A-122.18885402582598%2C%22maxLatitude%22%3A85.05113%2C%22maxPitch%22%3A60%2C%22maxZoom%22%3A20%2C%22minLatitude%22%3A-85.05113%2C%22minPitch%22%3A0%2C%22minZoom%22%3A0%2C%22pitch%22%3A0%2C%22width%22%3A669%2C%22zoom%22%3A9.51847667620428%7D%2C%22color_picker%22%3A%7B%22a%22%3A1%2C%22b%22%3A135%2C%22g%22%3A122%2C%22r%22%3A0%7D%2C%22line_width%22%3A150%2C%22reverse_long_lat%22%3Afalse%2C%22autozoom%22%3Atrue%2C%22js_columns%22%3A%5B%22color%22%5D%2C%22js_data_mutator%22%3A%22data+%3D%3E+data.map%28d+%3D%3E+%28%7B%5Cn++++...d%2C%5Cn++++color%3A+colors.hexToRGB%28d.extraProps.color%29%5Cn%7D%29%29%3B%22%2C%22js_tooltip%22%3A%22%22%2C%22js_onclick_href%22%3A%22%22%7D&standalone=true&height=400"
>
</iframe>

Actual results

Access in chrome address bar

Successful access

When access my web page via iframe

• Role admin
  When I login, Receive Error "

  Bad Request

  The CSRF session token is missing.

  "
• Role public
  Receive Error <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>400 Bad Request</title> <h1>Bad Request</h1> <p>The CSRF session token is missing.</p>

Screenshots

How to reproduce the bug

1. Launch Apache Superset in virtualenv superset run -h 0.0.0.0 -p 8088
2. Connect the link via iframe into another separate webpage
3. See error

Environment

(please complete the following information):

• superset version: 0.999.0dev / master 2019-10-13
• python version: 3.7.3
• node.js version: v10.15.2
• npm version: 5.8.0

Checklist

Make sure these boxes are checked before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

config.py setting
PUBLIC_ROLE_LIKE_GAMMA = True

[issue-label-bot]

Issue-Label Bot is automatically applying the label #bug to this issue, with a confidence of 0.79. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

[YBLS]

I have solved this problem.
SESSION_COOKIE_SAMESITE = None # One of [None, 'Lax', 'Strict']

[andrewmusselman]

Where did you set this? I've installed superset using pip and can't tell where I can set that variable; thanks.

[YBLS]

Where did you set this? I've installed superset using pip and can't tell where I can set that variable; thanks.

set in superset/config.py。This is flask session cookie options

[lilila]

In superset 0.36 it is also necessary to set
SESSION_COOKIE_HTTPONLY = False
to get dashboard working (without CSRF token issue) within iframe

[trepmag]

This issue produce quiet some confusion because browsers behaviors aren't aligned...

Actually, what I found is the following:

SESSION_COOKIE_SAMESITE = "None" # Sufficient for Firefox
SESSION_COOKIE_SECURE = True # Required for Google Chrome (at least from version 84)

This above setup is stated in a IETF proposal: Incrementally Better Cookies and was ported to my attention in this article: Cookies and Iframes.

More over, I noticed the following:

• Google Chrome fail in incognito mode
• Google Chrome fail if Superset is not under htts

[michalrudko]

If your Superset is not under https, the following setup worked for me:

SESSION_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = False 
SESSION_COOKIE_HTTPONLY = False

Superset v.1.0.1, Chrome 89

[zhugw]

I use version 1.1.0
My way is

WTF_CSRF_ENABLED = False

[im-naren]

how can this issue be solved in a helm deployment??

[clarabez]

Also changing "CSRF_ENABLED" to False worked for me:

CSRF_ENABLED = False

[kakoni]

Please note, its SESSION_COOKIE_SAMESITE = "None" not SESSION_COOKIE_SAMESITE = None

[vishaltps]

I am still getting the same error even after applying all the configurations.

I have tried setting SESSION_COOKIE_SAMESITE = "None" and SESSION_COOKIE_SAMESITE = None . I am using HTTPS and I don't want to disable CSRF.
I am getting below error

"{\"errors\": [{\"message\": \"400 Bad Request: The CSRF session token is missing.\", \"error_type\": \"GENERIC_BACKEND_ERROR\", \"level\": \"error\", \"extra\": {\"issue_codes\": [{\"code\": 1011, \"message\": \"Issue 1011 - Superset encountered an unexpected error.\"}]}}]}

It is working fine when i am trying to call API from Postman. However, in the app, I keep getting the same error. I have also attached "Referer"=>"https://mydomain/api/v1/security/csrf_token/.

[Alvie]

I am still getting the same error even after applying all the configurations.

I have tried setting SESSION_COOKIE_SAMESITE = "None" and SESSION_COOKIE_SAMESITE = None . I am using HTTPS and I don't want to disable CSRF. I am getting below error

"{\"errors\": [{\"message\": \"400 Bad Request: The CSRF session token is missing.\", \"error_type\": \"GENERIC_BACKEND_ERROR\", \"level\": \"error\", \"extra\": {\"issue_codes\": [{\"code\": 1011, \"message\": \"Issue 1011 - Superset encountered an unexpected error.\"}]}}]}

It is working fine when i am trying to call API from Postman. However, in the app, I keep getting the same error. I have also attached "Referer"=>"https://mydomain/api/v1/security/csrf_token/.

In the "app", when you get the CSRF Token, it responds with a Set-Cookie header alongside the token. You need to use that same cookie when requesting the guest token.

Depending on how you're doing the requests, if you create a "client" that does all of the requests it'll probably store the cookies automatically. If not, you need to add the cookies in manually.

[vishaltps]

I have added complete blog on integration of embed superset dashboard - https://medium.com/@vishalsadriya1224/embedding-apache-superset-dashboards-in-ruby-on-rails-and-react-a-role-level-security-guide-697da01676af

[Alvie]

I have added complete blog on integration of embed superset dashboard - https://medium.com/@vishalsadriya1224/embedding-apache-superset-dashboards-in-ruby-on-rails-and-react-a-role-level-security-guide-697da01676af

I think disabling CSP, is a somewhat dangerous way of doing it. You should copy across the talisman config in config.py to superset_config.py, but allow frame ancestors from hosts you choose. Or even '*', but disabling talisman altogether and replacing it with custom CORS options is a bit complex and potentially dangerous if you do not know what you're doing.

Anyway, yes, from what I can tell, the issue is from the cookie not being set, so it is good you are including this.

[Rudneer]

headersauth = {
'Content-Type': 'application/json',
'Authorization': f'Bearer {access_token}',
'X-CSRFToken': csrf_token,
'Cookie': set_cookie
}
still getting the same error
{'errors': [{'message': '400 Bad Request: The CSRF session token is missing.', 'error_type': 'GENERIC_BACKEND_ERROR', 'level': 'error', 'extra': {'issue_codes': [{'code': 1011, 'message': 'Issue 1011 - Superset encountered an unexpected error.'}]}}]}

[Alvie]

headersauth = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {access_token}', 'X-CSRFToken': csrf_token, 'Cookie': set_cookie } still getting the same error {'errors': [{'message': '400 Bad Request: The CSRF session token is missing.', 'error_type': 'GENERIC_BACKEND_ERROR', 'level': 'error', 'extra': {'issue_codes': [{'code': 1011, 'message': 'Issue 1011 - Superset encountered an unexpected error.'}]}}]}

Try X-CSRF-TOKEN

[Rudneer]

@Alvie Nope still the same error.
set_cookie = response.headers['set-cookie']
i am using set-cookie from csrf reponse header
My cookie contains 3 params
1 AWSALBTG
2 AWSALBTGCORS
3 session
it contains token value, expires and path

[Alvie]

@Alvie Nope still the same error. set_cookie = response.headers['set-cookie'] i am using set-cookie from csrf reponse header My cookie contains 3 params 1 AWSALBTG 2 AWSALBTGCORS 3 session it contains token value, expires and path

For me, the cookie session value contains the csrf token session value from the Set-Cookie response and it works.

[Alvie]

@Alvie Nope still the same error. set_cookie = response.headers['set-cookie'] i am using set-cookie from csrf reponse header My cookie contains 3 params 1 AWSALBTG 2 AWSALBTGCORS 3 session it contains token value, expires and path

I don't think the cookie is meant to be a header by the way, it might be an independent parameter.

If you are using python requests, it is something like this:

cookies = {'enwiki_session': '17ab96bd8ffbe8ca58a78657a918558'}

r = requests.post('http://wikipedia.org', cookies=cookies)

https://stackoverflow.com/a/7164897

[Rudneer]

@Alvie #8382 (comment)
in your above comment u mentioned i have to pass set cookie header alongside token.

[Alvie]

@Alvie #8382 (comment) in your above comment u mentioned i have to pass set cookie header alongside token.

You misunderstood. The server responds with the Set-Cookie header, so your client application should set that cookie. Many libraries don't persist cookies, so this is something you need to do yourself. Whatever the Set-Cookie has the server has responded with e.g. 'session': 'csrf_cookie_value', in your cookies in future responses need to have 'session': 'csrf_cookie_value'

[spars57]

I'm still having this issue, the cookie is stored on the browser and is being sent to API but the same error persists. Did anyone find a solution for this?

[Alvie]

I'm still having this issue, the cookie is stored on the browser and is being sent to API but the same error persists. Did anyone find a solution for this?

Can you send an example of your API Request Headers inc cookies

[spars57]

Here are the print screens of the request that I'm doing:

Even with Authorization, X-CSRF-Token headers and Session Cookie being passed, looks like the error persists

[Alvie]

Here are the print screens of the request that I'm doing:

Even with Authorization, X-CSRF-Token headers and Session Cookie being passed, looks like the error persists

I could be wrong but it looks like there's no cookies being sent in the request. Maybe the cookie from the Set-Cookie response hasn't been applied to the client

[spars57]

"I could be wrong but it looks like there's no cookies being sent in the request. Maybe the cookie from the Set-Cookie response hasn't been applied to the client"

Do you know how I can apply that cookie to the client?

[Alvie]

"I could be wrong but it looks like there's no cookies being sent in the request. Maybe the cookie from the Set-Cookie response hasn't been applied to the client"

Do you know how I can apply that cookie to the client?

Sorry, I'm not entirely sure. I think it depends on the library you are using. Apparently (for example), the fetch API doesn't include it by default, and you need to use credentials: "include" .
Source: https://stackoverflow.com/a/71215698

Do you see the session Cookie in Dev Tools > Application > Storage > Cookies?

[spars57]

Actually adding { credentials: "include" } to fetch() options solved the issue, thanks!

[Alvie]

Actually adding { credentials: "include" } to fetch() options solved the issue, thanks!

You're very welcome! Glad to hear your issue is fixed :)

[1sarah]

your config.py should look like this .................
TALISMAN_ENABLED = False
HTTP_HEADERS={"X-Frame-Options":"ALLOWALL"}
DATA_CACHE_CONFIG = CACHE_CONFIG
ENABLE_PROXY_FIX = True
ENABLE_CORS = True #TO enable cores
WTF_CSRF_ENABLED=False #To enable csrf token
CORS_OPTIONS = {
"supports_credentials": True,
"allow_headers": "",
"expose_headers": "",
"resources": "",
"origins": [""]
}
This worked for me

[Alvie]

your config.py should look like this ................. TALISMAN_ENABLED = False HTTP_HEADERS={"X-Frame-Options":"ALLOWALL"} DATA_CACHE_CONFIG = CACHE_CONFIG ENABLE_PROXY_FIX = True ENABLE_CORS = True #TO enable cores WTF_CSRF_ENABLED=False #To enable csrf token CORS_OPTIONS = { "supports_credentials": True, "allow_headers": "", "expose_headers": "", "resources": "", "origins": [""] } This worked for me

This will work, but it's dangerous to present it as the solution because you disabled many security features in the process.

This will disable CSP, CSRF, and Talisman, and allows CORS from anywhere.

Instead of disabling Talisman and a lot of security features, you should just just add the frame ancestors you wish to allow in the TALISMAN_CONFIG (copy it from superset/config.py and paste it to docker/pythonpath_dev/superset_config.py)

TALISMAN_CONFIG = {
    "content_security_policy": {
        "base-uri": ["'self'"],
        "default-src": ["'self'"],
        "img-src": [
            "'self'",
            "blob:",
            "data:",
            "https://apachesuperset.gateway.scarf.sh",
            "https://static.scarf.sh/",
            # "https://avatars.slack-edge.com", # Uncomment when SLACK_ENABLE_AVATARS is True
        ],
        "worker-src": ["'self'", "blob:"],
        "connect-src": [
            "'self'",
            "https://api.mapbox.com",
            "https://events.mapbox.com",
        ],
        "object-src": "'none'",
        "style-src": [
            "'self'",
            "'unsafe-inline'",
        ],
        "script-src": ["'self'", "'strict-dynamic'"],
        "frame-ancestors": ["*"], # MAKE SURE TO ADD ORIGIN HERE TO ALLOW
    },
    "content_security_policy_nonce_in": ["script-src"],
    "force_https": False,
    "session_cookie_secure": False,
}