fix(export): replace iframe with fetch to avoid CSP frame-src violations (#35584)

Co-authored-by: Claude <noreply@anthropic.com>
2026-05-29 11:45:16 +00:00 · 2025-10-10 14:58:13 -07:00
parent e437ae1f2f
commit 3dcf85caef
12 changed files with 539 additions and 55 deletions
--- a/superset-frontend/src/utils/export.ts
+++ b/superset-frontend/src/utils/export.ts
@@ -16,34 +16,84 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import parseCookie from 'src/utils/parseCookie';
+import { SupersetClient, logging } from '@superset-ui/core';
 import rison from 'rison';
-import { nanoid } from 'nanoid';
+import contentDisposition from 'content-disposition';
 import { ensureAppRoot } from './pathUtils';

-export default function handleResourceExport(
+// Maximum blob size for in-memory downloads (100MB)
+const MAX_BLOB_SIZE = 100 * 1024 * 1024;
+
+/**
+ * Downloads a blob as a file using a temporary anchor element
+ * @param blob - The blob to download
+ * @param fileName - The filename to use for the download
+ */
+function downloadBlob(blob: Blob, fileName: string): void {
+  const url = window.URL.createObjectURL(blob);
+  try {
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = fileName;
+    a.style.display = 'none';
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+  } finally {
+    window.URL.revokeObjectURL(url);
+  }
+}
+
+export default async function handleResourceExport(
  resource: string,
  ids: number[],
  done: () => void,
-  interval = 200,
-): void {
-  const token = nanoid();
-  const url = ensureAppRoot(
-    `/api/v1/${resource}/export/?q=${rison.encode(ids)}&token=${token}`,
+): Promise<void> {
+  const endpoint = ensureAppRoot(
+    `/api/v1/${resource}/export/?q=${rison.encode(ids)}`,
  );

-  // create new iframe for export
-  const iframe = document.createElement('iframe');
-  iframe.style.display = 'none';
-  iframe.src = url;
-  document.body.appendChild(iframe);
+  try {
+    // Use fetch with blob response instead of iframe to avoid CSP frame-src violations
+    const response = await SupersetClient.get({
+      endpoint,
+      headers: {
+        Accept: 'application/zip, application/x-zip-compressed, text/plain',
+      },
+      parseMethod: 'raw',
+    });

-  const timer = window.setInterval(() => {
-    const cookie: { [cookieId: string]: string } = parseCookie();
-    if (cookie[token] === 'done') {
-      window.clearInterval(timer);
-      document.body.removeChild(iframe);
-      done();
+    // Check content length to prevent memory issues with large exports
+    const contentLength = response.headers.get('Content-Length');
+    if (contentLength && parseInt(contentLength, 10) > MAX_BLOB_SIZE) {
+      logging.warn(
+        `Export file size (${contentLength} bytes) exceeds maximum blob size (${MAX_BLOB_SIZE} bytes). Large exports may cause memory issues.`,
+      );
    }
-  }, interval);
+
+    // Parse filename from Content-Disposition header
+    const disposition = response.headers.get('Content-Disposition');
+    let fileName = `${resource}_export.zip`;
+
+    if (disposition) {
+      try {
+        const parsed = contentDisposition.parse(disposition);
+        if (parsed?.parameters?.filename) {
+          fileName = parsed.parameters.filename;
+        }
+      } catch (error) {
+        logging.warn('Failed to parse Content-Disposition header:', error);
+      }
+    }
+
+    // Convert response to blob and trigger download
+    const blob = await response.blob();
+    downloadBlob(blob, fileName);
+
+    done();
+  } catch (error) {
+    logging.error('Resource export failed:', error);
+    done();
+    throw error;
+  }
 }