Apache Superset 400 Bad Request: The referrer does not match the host

Bug description

WARNING:superset.views.error_handling:Refresh CSRF token error Traceback (most recent call last): File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1482, in full_dispatch_request rv = self.preprocess_request() File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1974, in preprocess_request rv = self.ensure_sync(before_func)() File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect self.protect() File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 273, in protect self._error_response("The referrer does not match the host.") File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response raise CSRFError(reason) flask_wtf.csrf.CSRFError: 400 Bad Request: The referrer does not match the host. WARNING:superset.views.error_handling:HTTPException Traceback (most recent call last): File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1482, in full_dispatch_request rv = self.preprocess_request() File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1974, in preprocess_request rv = self.ensure_sync(before_func)() File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 229, in csrf_protect self.protect() File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 273, in protect self._error_response("The referrer does not match the host.") File "/usr/local/lib/python3.10/site-packages/flask_wtf/csrf.py", line 307, in _error_response raise CSRFError(reason) flask_wtf.csrf.CSRFError: 400 Bad Request: The referrer does not match the host.

My superset is hosted on xyz domain and my react app is hosted in abc domain... I am trying to get the guest token to embedd the Dashboard. But getting The CSRF tokens do not match.

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

Browser

Chrome

Additional context

No response

Checklist

[x] I have searched Superset docs and Slack and didn't find a solution to my problem.
[x] I have searched the GitHub issue tracker and didn't find a similar bug report.
[x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

There are a few similar discussions related to CSRF token issues in Apache Superset:

Can't authenticate to get guest_token - This discussion is still open and might provide some insights into your issue.
[QA][superset & keycloak] flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing. - This is another open discussion that deals with CSRF token errors.
Apache Superset Embedded Not Working (Forbidden) - This discussion is also open and might be relevant to your problem.

Additionally, a closed issue suggested that when obtaining the CSRF token, you should ensure that the Set-Cookie header is used alongside the token. This means you need to use the same cookie when requesting the guest token. If you're using a client to make requests, it might handle cookies automatically. Otherwise, you need to add the cookies manually ^[1].

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

Comment From: rusackas

Is this a recent upgrade, or a first time setup? Seems like it's likely some form of config issue, but it might be a bug if it's an upgrade.

Comment From: rusackas

We haven't heard back on the open question, so we may close this as inactionable/not-planned. Happy to move this to a Discussion if you're looking for help troubleshooting.