Iframe CSRF Token Missing #7079
Labels
Comments
|
|
|
There is a setting to enable CSRF ENFORCE_CSRF = parse_boolean(os.environ.get("REDASH_ENFORCE_CSRF", "false"))Try adding this to your This is not documented! This should be added to https://redash.io/help/open-source/admin-guide/env-vars-settings/ |
|
@lucydodo Any interest in adding that? ^^^ 😄 |
|
@justinclift Sure. I'll go home and add it to the documentation. :) |
lucydodo
added a commit
to getredash/website
that referenced
this issue
Jul 30, 2024
|
@985958118 @eradman It's now on the website's environment variables list: https://redash.io/help/open-source/admin-guide/env-vars-settings/ |
|
@985958118 did enabling CSRF solve your problem? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HTML:
<iframe width={1500} height={800} src="http://xxx:8080/dashboards" />Nginx:
server {
listen 8080;
server_name _;
location / {
proxy_pass http://xxx:5000;
more_set_headers "Access-Control-Allow-Origin: * ";
more_set_headers "X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-src redash.io;";
more_set_headers "Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-src redash.io;";
more_set_headers "X-Frame-Options: xxx";
more_set_headers "Set-Cookie: $sent_http_set_cookie; HttpOnly; Secure; SameSite=None";
}
}
The text was updated successfully, but these errors were encountered: