Address /review-code findings — the previous round's hardening fixed
flake but a few assertions still gave weak signals:
- The chart-rendered selector matched a still-loading chart cell, since
Superset's `Loading` spinner itself renders an SVG. Exclude the spinner
via `:not(:has([data-test="loading-indicator"]))` and centralize the
selector as `EmbeddedPage.RENDERED_CHART_SELECTOR`.
- The "dashboard renders" test only proved iframe/header chrome, not the
dashboard. Add `waitForChartRendered()` so the test name matches what
it asserts.
- The `hideTitle` test passed for the wrong reason if the locator
drifted (`toBeHidden()` succeeds for absent elements). Add an explicit
`toHaveCount(0)` so the contrast against the baseline visibility check
in test 1 is load-bearing.
- `tokenCallCount` was a `>=1` check that any rendered dashboard would
satisfy. Tighten to `=== 1` to actually exercise the SDK's caching
contract.
- Drop the redundant `appUrl` shadow of `appServer.url`.
- Move `import os` to module top in the docker-light config; document
the strict `"true"`-only env-var truthiness convention.
Pre-commit clean (type-check, prettier, oxlint, ruff, mypy). Local
re-verification blocked by an unrelated worktree env issue (semantic
layers feature has incomplete state — the docker-compose-light stack
doesn't bind-mount superset-core/, so the image's stale copy lacks the
new submodule); CI on the chromium-embedded project will validate.
Changes are strictly stronger assertions and refactors so they cannot
turn a previously-passing test into a false positive.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three additions to the lightweight local config so the embedded-dashboard
flow works against docker-compose-light without manually patching state:
- Read SUPERSET_FEATURE_<NAME> env vars into FEATURE_FLAGS so a docker
.env-local can toggle features without editing tracked config.
- Disable Talisman so /embedded/<uuid> doesn't serve X-Frame-Options:
SAMEORIGIN, which otherwise blocks cross-origin iframe embedding.
- Mirror Public to Gamma via PUBLIC_ROLE_LIKE so guest tokens can hit
/api/v1/me/roles/ (CI does this implicitly via load_test_users; the
light stack does not).
Required for the chromium-embedded Playwright project to run locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces racy one-shot checks with auto-retrying assertions, asserts the
referrer-block test against the deterministic 403 response (not iframe
content), uses an OS-allocated port for the static test app with
connection-tracked teardown, caches the JWT access token across tests,
sends CSRF on the guest-token call (page.request always carries the
storageState cookie, so JWT-only doesn't actually skip CSRF), and waits
for a real viz element inside chart containers rather than a class that
doesn't exist. Verified with --repeat-each=5 (25/25 passing).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The test app server only ever serves /, /index.html, and /sdk/index.js,
so replace dynamic path joining with a fixed allowlist. This eliminates
the data flow from req.url to readFileSync that CodeQL flagged as a
path-traversal sink — the previous resolve+startsWith containment check
was correct but not recognized as a sanitizer by the analyzer.
- Add a build-embedded-sdk step to bashlib.sh and wire it into the
superset-playwright and superset-e2e workflows so the SDK bundle is
compiled before Playwright runs.
- Set SUPERSET_FEATURE_EMBEDDED_SUPERSET=true via workflow env so the
feature flag only affects Playwright jobs. Setting it in the shared
integration test config breaks unrelated Python tests because the
security manager's guest-user paths access g.user through paths that
most tests don't mock.
- Add CORS for localhost:9000 and TALISMAN_ENABLED=False to the
integration test config. Talisman defaults to X-Frame-Options:
SAMEORIGIN, which blocks the embedded dashboard from rendering
inside an iframe hosted on a different port.
Adds five tests covering the embedded dashboard flow against the
world_health example: render, hideTitle UI config, chart rendering,
allowed_domains referrer check, and guest-token data access. Includes:
- A chromium-embedded Playwright project, excluded from the main
project via testIgnore so it can be opted into separately.
- An EmbeddedPage page object and API helpers for embedding/guest
tokens plus dashboard lookup by slug.
- A static test app (embedded-app/index.html) loaded from a minimal
Node static server. Playwright bridges the guest-token fetch from
Node into the browser via page.exposeFunction.
- EMBEDDED timeout/config constants.
Workflow integration and test-environment configuration land in a
follow-up commit.
