devyash786 opened a new issue, #33067: URL: https://github.com/apache/superset/issues/33067
### Bug description We encountered an issue while trying to embed a Superset dashboard using a guest token. Specifically, we faced a "Referer header mismatch" error. Attempts to manually configure the Referer header through the UI were unsuccessful, as browsers do not allow modification of these headers directly. Current Approach: We tried a backend approach to solve the issue by creating an endpoint in our system that would hit all necessary APIs sequentially, setting the Referer header to match the required value for each API call, and then retrieve the guest token. This solution required maintaining session information across API calls, so I implemented CookieSession to pass the session token between calls. Problem Encountered: When invoking this API from our ui system, the session includes user-related cookies. This interferes with the login/logout flow in Superset, as the cookies in the same browser session cause login issues. For example, to log in to Superset successfully, we are forced to either clear the cookies or use incognito mode. This is an undesirable behavior for the user. Additional Attempts: We tried modifying the Superset application blueprint by adding an endpoint without CSRF protection to bypass CSRF checks, but this did not resolve the issue. Setting the WTF_CSRF_EXEMPT_LIST flag did not work as expected either. Expected Behavior: The integration should allow us to call the necessary APIs, set the appropriate Referer header, and retrieve the guest token without interfering with the session or login/logout process in Superset. ### Screenshots/recordings _No response_ ### Superset version master / latest-dev ### Python version 3.9 ### Node version 16 ### Browser Chrome ### Additional context _No response_ ### Checklist - [x] I have searched Superset docs and Slack and didn't find a solution to my problem. - [x] I have searched the GitHub issue tracker and didn't find a similar bug report. - [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
