Metabase CORS and CSP headers

staypath

If adding user.conf customization would persist settings like headers in nginx, that might be a good feature. Thanks again.

girish

@staypath was discussing this internally and we got a bit confused by your earlier comment in #3 . Do you know how/why adding CORS fixed your embedding issue.

Isn't embedding mattermost metabase about adding an IFRAME? If so, this only involves fixing the CSP header and the CORS headers should have no relevance. Did we misunderstand something ? CORS is only applicable if a website frontend, which is not mattermost metabase, is making API calls to mattermost metabase.

staypath

Thanks for the reply. We are embedding Metabase, not Mattermost. I agree with you, normally CORS would not apply, but as I mentioned previously, we are embedding Metabase within a Retool iFrame component. Something about how Retool fetches the iFrame content is making it appear to the browser that it should check for CORS headers. Since CORS headers don't exist, the browser refuses to load the iFrame. I think there are two questions here:

1. is CORS even required in this scenario? Maybe it shouldn't be by design, but the Retool iFrame component will not load the Metabase content without CORS headers in place
2. in edge cases like this, would the ability to customize nginx headers in Cloudron user.conf solve the issue?

Thanks

girish

@staypath whooops sorry, that was an unintentionaly typo. I meant metabase all along. As for retool, I am just looking at what that is.

girish

A simple iframe test works for me in Surfer:

    <!DOCTYPE html>    
    <html>    
    <body>    
    <h2>HTML Iframes example</h2>    
    <p>Use the height and width attributes to specify the size of the iframe:</p>    
    <iframe src="https://metabase.smartserver.io/public/dashboard/5124c74d-ab16-42d7-b1a1-68b774e5dd66" height="500" width="500"></iframe>    
    </body>    
    </html>  

Not sure what retool is doing.

girish

OK, found the problem . @staypath retool is removing the allow-same-origin from the iframe . See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-same-origin . This makes API calls in the IFRAME appear as cross origin. Adding it manually in web inspector, makes retool show it:

girish

Ah, found it. Just check this option in retool (Interaction -> Enable Storage and cookies) and it works.

staypath

I really appreciate you looking into this. You have gone above and beyond, so thank you again. I saw the Storage and Cookies option in the Retool docs as well, and strangely, my Retool instance does not have this option. I will open a support ticket with Retool to figure out why this option is missing. Thank you again for the help with troubleshooting.

girish

@staypath ah interesting. I am using the cloud version. Maybe you are on selfhosted?

staypath

@girish Yes, maybe that is the difference. I am using self-hosted Retool.

staypath

@girish Just closing out this discussion. For reference, here is when the change was introduced to Retool that caused the issue with loading the iframe:

https://docs.retool.com/releases/legacy/3.22#:~:text=Disabled Storage and cookies

Thanks again.