Skip to content
Snippets Groups Projects
Select Git revision
  • fix-case-contains
  • fix-offset-example
  • adm-579-handle-too-long-search-strings
  • fix-table-row-heights-with-rich-content
  • fix-details-only-columns-present-in-viz
  • docs-impersonation-fix
  • cloud_issue_additional_fields
  • expression-literals-fix-h2
  • docs-db-conns
  • fix-display-as-img-static-viz
  • date-generalize-tests
  • release-x.54.x
  • test-mongo-noscripting
  • release-x.53.x
  • generalize-cast-test-integration
  • integer-general-tests
  • backport-54-2593cf1957f7cf0f5b35b76196c6305404b4dd62
  • master default protected
  • backport-53-3ed041bc60724136b36bea24731d7432959f9618
  • backport-54-3ed041bc60724136b36bea24731d7432959f9618
  • v0.54.0.2-beta
  • v0.54.0.x
  • v0.54.x
  • v0.53.8.5
  • v0.53.8.x
  • v0.53.x
  • v0.54.0.1-beta
  • v0.53.8.4
  • v0.53.8.3
  • v0.53.8.2
  • embedding-sdk-54-stable
  • embedding-sdk-0.54.4-nightly
  • v0.53.8.1
  • latest-ee
  • latest-oss
  • v0.53.8
  • beta-ee
  • beta-oss
  • v0.54.0-beta
  • v0.53.7.6
40 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
EmbeddingAppSameSiteCookieDescription.tsx 2.67 KiB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74 






import { jt, t } from "ttag";

import { useSetting } from "metabase/common/hooks";
import ExternalLink from "metabase/core/components/ExternalLink";
import { isSameOrigin } from "metabase/lib/dom";
import { useSelector } from "metabase/lib/redux";
import { isEmpty } from "metabase/lib/utils";
import { getDocsUrl } from "metabase/selectors/settings";
import { Box, Center, Stack, Text } from "metabase/ui";

import { SameSiteAlert } from "./EmbeddingAppSameSiteCookieDescription.styled";

export const EmbeddingAppSameSiteCookieDescription = () => {
  const docsUrl = useSelector(state =>
    // eslint-disable-next-line no-unconditional-metabase-links-render -- Admin settings
    getDocsUrl(state, {
      page: "embedding/interactive-embedding",
      anchor: "embedding-metabase-in-a-different-domain",
    }),
  );

  const embeddingSameSiteCookieSetting = useSetting("session-cookie-samesite");
  const embeddingAuthorizedOrigins = useSetting("embedding-app-origin");

  const shouldDisplayNote =
    embeddingSameSiteCookieSetting !== "none" &&
    authorizedOriginsContainsNonInstanceDomain(embeddingAuthorizedOrigins);

  return (
    <Stack spacing="sm">
      {shouldDisplayNote && <AuthorizedOriginsNote />}
      {/* eslint-disable-next-line no-literal-metabase-strings -- Metabase settings */}
      <Text>{t`Determines whether or not cookies are allowed to be sent on cross-site requests. You’ll likely need to change this to None if your embedding application is hosted under a different domain than Metabase. Otherwise, leave it set to Lax, as it's more secure.`}</Text>
      <Text>{jt`If you set this to None, you'll have to use HTTPS, or browsers will reject the request. ${(
        <ExternalLink key="learn-more" href={docsUrl}>
          {t`Learn more`}
        </ExternalLink>
      )}`}</Text>
    </Stack>
  );
};

function AuthorizedOriginsNote() {
  return (
    <Box data-testid="authorized-origins-note" w="22rem">
      <SameSiteAlert variant="warning" hasBorder>
        <Center>
          <Text>{jt`You should probably change this setting to ${(
            <Text key="inner" span fw="bold">
              {t`None`}
            </Text>
          )}.`}</Text>
        </Center>
      </SameSiteAlert>
    </Box>
  );
}

function authorizedOriginsContainsNonInstanceDomain(
  authorizedOriginsString: string,
): boolean {
  // temporarily disabled because it suggest wrong SameSite value
  // for local development, where the origin is localhost and when the protocol is not specified
  // metabase#43523
  return false;

  if (isEmpty(authorizedOriginsString)) {
    return false;
  }

  const origins = authorizedOriginsString.split(" ");
  return origins.some(origin => !isSameOrigin(origin));
}