Markdown with iframe (Echart type - Big Number ) error: "Unexpected token < in JSON at position 0"

[gndsnts]

Hey,

I'm trying to create simple html page, that use iframe with link from superset.

In this dashboard , there are 2 echarts:
1 Timeseries - MarkDown element with iframe
1 Big Number -Markdown Element with iframe

Print from superset:

Print from my created page, that contain a iframe with url dashboard:

I don't know how this happen, one iframe work's and the other have the error: "Unexpected token < in JSON at position 0"

In devtools from chrome, i have this result:

At the moment in file config.py, I have wtf_crsf_enable = true(default), and use this cors configuration:

CORS Options

ENABLE_CORS = True
CORS_OPTIONS: Dict[Any, Any] = {}
#I add my domain to list SUPERSET_WEBSERVER_DOMAINS, example:
SUPERSET_WEBSERVER_DOMAINS = {"domain1","domain2","domain3"}

My config.py: config.py.txt

I think this is the most important changes that I did, but it's not enought... if any one can help me, I would appreciate it

Best regards

[geido]

Hello @gndsnts which Superset version are you running?

[geido]

Related or duplicate of #18126

[mbcsa]

Hi, something similar happens to me.
In my case, I think it has something to do with legacy charts.

1- When I embed a public dashboard with "echarts" and "legacy charts" only "echarts" works making requests to
domain.com/api/v1/chart/data?form_data=... ( 200 OK )
2- while legacy charts makes requests to:
domain.com/superset/explore_json/?form_data=... (302 FOUND - then redirects to /login)
domain.com/login/

[geido]

Related or duplicate of #17436

[mbcsa]

Hi, something similar happens to me. In my case, I think it has something to do with legacy charts.

1- When I embed a public dashboard with "echarts" and "legacy charts" only "echarts" works making requests to domain.com/api/v1/chart/data?form_data=... ( 200 OK ) 2- while legacy charts makes requests to: domain.com/superset/explore_json/?form_data=... (302 FOUND - then redirects to /login) domain.com/login/

In my case, I solved it by adding

WTF_CSRF_ENABLED = False

to superset_config.py

It allowed me to show Legacy Charts.

[gndsnts]

It worked!!! Thanks!!

However, I believe that it is not a good option to disable this CSRF protection.

I would like to know if there are other options.

There is someone that can help me?

[suddjian]

In my case, I think it has something to do with legacy charts.

That's exactly right, legacy charts use an older data endpoint that wasn't added to the CSRF excempt list.

However, I believe that it is not a good option to disable this CSRF protection.

Also correct, disabling CSRF protection can open you up to XSS vulnerabilities.

We ran into the same problem independently, and just merged a PR that changes the CSRF exempt list, here: https://github.com/apache/superset/pull/17530/files#diff-c99ae4b2b09b756ab2189a99a9685229f9d12633fc2616c368ea869770f603bfR202. The endpoint is safe to make exempt from CSRF, because although it is a POST, it does not alter any application state and can't be used for XSS attacks.

I believe that commit should solve this issue, and the other related ones.

[gndsnts]

Thanks to everyone for the help.