GitHub user stgztsw added a comment to the discussion: The issue regarding
obtaining an Embedded Token
> The error happens because Superset sets the `X-Frame-Options` header to
> `sameorigin`, which blocks embedding in an iframe from a different origin. To
> allow embedding, update your `superset_config.py` to configure the Content
> Security Policy (CSP) with the `frame-ancestors` directive, listing the
> domains allowed to embed Superset. For example:
>
> ```python
> TALISMAN_ENABLED = True
> TALISMAN_CONFIG = {
> "content_security_policy": {
> "frame-ancestors": ["your-embedding-domain.com"],
> }
> }
> ```
>
> You can also override headers directly with `OVERRIDE_HTTP_HEADERS` if
> needed. After making these changes, restart Superset for them to take effect.
> Be aware that allowing cross-origin embedding can expose your dashboards to
> clickjacking and other risks—only allow trusted domains. For more details,
> see [this thread](https://github.com/apache/superset/issues/31434).
>
> If you still have issues, check that your dashboard is published, the
> embedding domain is listed in `allowed_domains`, and review CORS and referrer
> policy settings as described
> [here](https://github.com/apache/superset/discussions/33912).
>
> _To reply, just mention [@dosu](https://go.dosu.dev/dosubot)._
>
> How did I do?
> [Good](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=great_response)
> |
> [Irrelevant](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=irrelevant_answer)
> |
> [Incorrect](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=incorrect_sources)
> |
> [Verbose](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=too_verbose)
> |
> [Hallucination](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=hallucination)
> | [Report
> 🐛](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=bug_report)
> |
> [Other](https://app.dosu.dev/response-feedback/44d68cd0-ebe6-442a-b01a-7a4b6b65ab6c?feedback_type=other)
> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)
[](https://go.dosu.dev/discord-bot)
[](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35670)
Hi @dosu, thanks for your replay.
I resolved this problem as you said.
But when the chrome loading the below url, error message: "Forbidden" occurs.
http://172.19.145.51:8088/api/v1/dashboard/10
http://172.19.145.51:8088/api/v1/dashboard/10/charts
http://172.19.145.51:8088/api/v1/dashboard/10/datasets
I think this is a authorization issue. When I access Superset through the
superset embedding scenario, who is the current visitor? And who should I grant
authorization to?
GitHub link:
https://github.com/apache/superset/discussions/35670#discussioncomment-14695479
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
