Google Git
Sign in
apache/superset/refs/heads/fix/embedded-sdk-id-format-validation
commit
97b6465ecef429570f4486c2c7ded34fc534adf5
[log]
author
Claude Code <noreply@anthropic.com>
Mon Jun 01 15:34:06 2026 -0700
committer
Claude Code <noreply@anthropic.com>
Mon Jun 01 15:34:06 2026 -0700
tree
f3399050b0c9595a22b03a933600db1d2bf7ab7f
parent
4f2fe420444220b0dd316aee91d652e144786f31 [diff]
fix(embedded-sdk): validate supersetDomain and surface relaxing sandbox tokens

Builds on the dashboard id validation in this PR with two more
defense-in-depth input checks on embedDashboard params:

- supersetDomain is validated as a parseable absolute URL (it must carry a
  protocol), and the postMessage targetOrigin now uses the normalized
  `new URL(supersetDomain).origin` rather than the raw domain. Sub-path
  deployments keep working because the iframe src still uses the full
  domain; only the targetOrigin is normalized to a clean origin.
- iframeSandboxExtras tokens that relax the iframe's isolation are still
  honored (the option is an intentional escape hatch) but are now logged
  via console.warn so they aren't enabled unintentionally.

Adds unit tests for validateSupersetDomain and findUnsafeSandboxExtras.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2 files changed
tree: f3399050b0c9595a22b03a933600db1d2bf7ab7f
  1. .claude/
  2. .cursor/
  3. .devcontainer/
  4. .github/
  5. ASF/
  6. CHANGELOG/
  7. docker/
  8. docs/
  9. helm/
  10. RELEASING/
  11. requirements/
  12. RESOURCES/
  13. scripts/
  14. superset/
  15. superset-core/
  16. superset-embedded-sdk/
  17. superset-extensions-cli/
  18. superset-frontend/
  19. superset-websocket/
  20. tests/
  21. CLAUDE.mdAGENTS.md
  22. GEMINI.mdAGENTS.md
  23. GPT.mdAGENTS.md
  24. .asf.yaml
  25. .codecov.yml
  26. .coveragerc
  27. .dockerignore
  28. .editorconfig
  29. .envrc.example
  30. .flaskenv
  31. .fossa.yml
  32. .gitattributes
  33. .gitignore
  34. .gitmodules
  35. .markdownlint.json
  36. .pre-commit-config.yaml
  37. .pylintrc
  38. .rat-excludes
  39. AGENTS.md
  40. CHANGELOG.md
  41. CODE_OF_CONDUCT.md
  42. CONTRIBUTING.md
  43. docker-compose-image-tag.yml
  44. docker-compose-light.yml
  45. docker-compose-non-dev.yml
  46. docker-compose.yml
  47. Dockerfile
  48. dockerize.Dockerfile
  49. INSTALL.md
  50. LICENSE.txt
  51. lintconf.yaml
  52. Makefile
  53. MANIFEST.in
  54. NOTICE
  55. pyproject.toml
  56. pytest.ini
  57. README.md
  58. setup.py
  59. superset_text.yml
  60. UPDATING.md
README.md

Superset

License Latest Release on Github Build Status PyPI version PyPI GitHub Stars Contributors Last Commit Open Issues Open PRs Get on Slack Documentation

A modern, enterprise-ready business intelligence web application.

Documentation

  • User Guide — For analysts and business users. Explore data, build charts, create dashboards, and connect databases.
  • Administrator Guide — Install, configure, and operate Superset. Covers security, scaling, and database drivers.
  • Developer Guide — Contribute to Superset or build on its REST API and extension framework.

Why Superset? | Supported Databases | Release Notes | Get Involved | Resources | Organizations Using Superset

Why Superset?

Superset is a modern data exploration and data visualization platform. Superset can replace or augment proprietary business intelligence tools for many teams. Superset integrates well with a variety of data sources.

Superset provides:

  • A no-code interface for building charts quickly
  • A powerful, web-based SQL Editor for advanced querying
  • A lightweight semantic layer for quickly defining custom dimensions and metrics
  • Out of the box support for nearly any SQL database or data engine
  • A wide array of beautiful visualizations to showcase your data, ranging from simple bar charts to geospatial visualizations
  • Lightweight, configurable caching layer to help ease database load
  • Highly extensible security roles and authentication options
  • An API for programmatic customization
  • A cloud-native architecture designed from the ground up for scale

Screenshots & Gifs

Video Overview

superset-video-1080p.webm

Large Gallery of Visualizations


Craft Beautiful, Dynamic Dashboards


No-Code Chart Builder


Powerful SQL Editor


Supported Databases

Superset can query data from any SQL-speaking datastore or data engine (Presto, Trino, Athena, and more) that has a Python DB-API driver and a SQLAlchemy dialect.

Here are some of the major database solutions that are supported:

A more comprehensive list of supported databases along with the configuration instructions can be found here.

Want to add support for your datastore or data engine? Read more here about the technical requirements.

Installation and Configuration

Try out Superset's quickstart guide or learn about the options for production deployments.

Get Involved

Contributor Guide

Interested in contributing? Check out our Developer Guide to find resources around contributing along with a detailed guide on how to set up a development environment.

Resources

Understanding the Superset Points of View

Repo Activity