eschutho opened a new pull request, #35584:
URL: https://github.com/apache/superset/pull/35584
### SUMMARY
Replaces iframe-based resource export with fetch API and blob downloads to
prevent Content Security Policy (CSP) `frame-src` violations.
**The Problem:**
The previous export implementation created hidden iframes to trigger
downloads, which violates strict CSP policies that set `frame-src 'none'`. This
resulted in console errors:
```
Refused to frame '...' because it violates the following Content Security
Policy directive: "frame-src 'none'"
```
**The Solution:**
- Use `SupersetClient.get()` with `parseMethod: 'raw'` to fetch export files
as blobs
- Parse `Content-Disposition` headers for proper filenames
- Programmatically create download links and trigger them
- Add proper async/await error handling with user-friendly toast messages
**Benefits:**
- ✅ No CSP violations - never attempts to frame URLs
- ✅ Better error handling - catches and displays errors to users
- ✅ Consistent with existing patterns - follows same approach as dashboard
screenshot downloads
- ✅ Works with strict Content Security Policies
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
**Before:** Browser console shows CSP violation errors when exporting
dashboards/charts
**After:** Exports work cleanly without CSP violations
### TESTING INSTRUCTIONS
1. **Setup**: Ensure your Superset instance has a strict CSP configured (or
use browser dev tools to simulate)
2. **Test Dashboard Export**:
- Go to Dashboard List (`/dashboard/list/`)
- Select one or more dashboards
- Click "Export" from the actions menu or bulk actions
- Verify the ZIP file downloads successfully
- Check browser console - no CSP errors should appear
3. **Test Chart Export**:
- Go to Chart List (`/chart/list/`)
- Select one or more charts
- Click "Export"
- Verify download and no console errors
4. **Test Other Resource Types**:
- Repeat for Datasets, Databases, Saved Queries, and Themes
5. **Test Error Handling**:
- Use network throttling or mock a failed API response
- Verify error toast appears with helpful message
- Verify loading state clears properly
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags: None
- [ ] Changes UI: No (backend behavior only)
- [ ] Includes DB Migration: No
- [ ] Introduces new feature or API: No
- [ ] Removes existing feature or API: No
**Files Changed:**
- `superset-frontend/src/utils/export.ts` - Core export utility (iframe →
fetch)
- `superset-frontend/src/utils/export.test.ts` - Comprehensive unit tests
- 8 files - Updated export handlers with async/await and error handling:
- DashboardList, ChartList, DatasetList, DatabaseList
- SavedQueryList, ThemeList, ChartTable, DashboardTable
**Test Coverage:**
- Unit tests cover success paths, error cases, and edge cases
- Tests verify correct API calls, blob handling, filename parsing, and
cleanup
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
