You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Superset uses flask-talisman to set a number of important HTTP headers to improve security. The library was created at Google, abandoned and picked up again by the original creators outside of Google. However, now it is again untouched for several years, and I think it could be a liability for superset in the long run. There are other issues requesting it to be documented in superset.
For example, the X-Frame-Options header is deprecated and could stop working at any moment depending on how long browsers decide to support it, and this is used by a lot of superset users to embed dashboards in operational systems.
There are other issues suggesting to document the settings better (I for one spent quite some time digging through issues and source code to figure it out), but since the library basically just contains a few lines of code, we could vendor it, and tailor it more to superset use. For example, we could hide the header config behind some setting ALLOW_EMBED_ORIGINS or something like that.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Superset uses flask-talisman to set a number of important HTTP headers to improve security. The library was created at Google, abandoned and picked up again by the original creators outside of Google. However, now it is again untouched for several years, and I think it could be a liability for superset in the long run. There are other issues requesting it to be documented in superset.
For example, the X-Frame-Options header is deprecated and could stop working at any moment depending on how long browsers decide to support it, and this is used by a lot of superset users to embed dashboards in operational systems.
There are other issues suggesting to document the settings better (I for one spent quite some time digging through issues and source code to figure it out), but since the library basically just contains a few lines of code, we could vendor it, and tailor it more to superset use. For example, we could hide the header config behind some setting
ALLOW_EMBED_ORIGINSor something like that.Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions