get guest token from header instead of cookie

superset/config.py

@@ -1262,7 +1262,7 @@ def SQL_QUERY_MUTATOR(  # pylint: disable=invalid-name,unused-argument
 GUEST_ROLE_NAME = "Public"
 GUEST_TOKEN_JWT_SECRET = "test-guest-secret-change-me"
 GUEST_TOKEN_JWT_ALGO = "HS256"
-GUEST_TOKEN_COOKIE_NAME = "__guest_token__"
+GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
 GUEST_TOKEN_JWT_EXP_SECONDS = 300  # 5 minutes
 
 # A SQL dataset health check. Note if enabled it is strongly advised that the callable

superset/security/manager.py

@@ -1283,7 +1283,7 @@ def get_guest_user(self, req: Request) -> Optional[GuestUser]:
 
         :return: A guest user object
         """
-        raw_token = req.cookies.get(current_app.config["GUEST_TOKEN_COOKIE_NAME"])
+        raw_token = req.headers.get(current_app.config["GUEST_TOKEN_HEADER_NAME"])
         if raw_token is None:
             return None