Fix Kedro-viz embedded as an IFrame (#1658)

In response to issue #1348, which required the addition of security headers to demo.kedro.org, we implemented a solution in PR #1355. This solution involved adding security headers to the FastAPI application which results in all instances of kedro-viz, whether hosted or local, having these security headers. Having the security headers introduced a limitation where kedro-viz could not be used as an IFrame, affecting functionalities like %run_viz that embed kedro-viz in an iframe. To address this, the current ticket introduces a conditional approach. We will add security headers only if the environment variable ADD_SECURITY_HEADER is set to true. This modification will be implemented in the Dockerfile when creating the docker image for the demo project. This image will then be uploaded to an EC2 instance and deployed using Lightsail.
kedro-org · Dec 5, 2023 · c0536f2 · c0536f2
1 parent 3946a68
commit c0536f2
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/demo-project/Dockerfile b/demo-project/Dockerfile
@@ -8,3 +8,5 @@ COPY . /code
 RUN pip install --no-cache-dir --upgrade -r /code/src/docker_requirements.txt
 
 CMD ["kedro", "viz", "--host", "0.0.0.0", "--port", "4141", "--no-browser"]
+
+ENV ADD_SECURITY_HEADERS=true
diff --git a/package/kedro_viz/api/apps.py b/package/kedro_viz/api/apps.py
@@ -2,6 +2,7 @@
 This data could either come from a real Kedro project or a file.
 """
 import json
+import os
 import time
 from pathlib import Path
 
@@ -21,8 +22,6 @@
 
 _HTML_DIR = Path(__file__).parent.parent.absolute() / "html"
 
-secure_headers = secure.Secure()
-
 
 def _create_etag() -> str:
     """Generate the current timestamp to use as etag."""
@@ -37,11 +36,14 @@ def _create_base_api_app() -> FastAPI:
         default_response_class=EnhancedORJSONResponse,
     )
 
-    @app.middleware("http")
-    async def set_secure_headers(request, call_next):
-        response = await call_next(request)
-        secure_headers.framework.fastapi(response)
-        return response
+    if os.getenv("ADD_SECURITY_HEADERS", "").lower() == "true":  # pragma: no cover
+        secure_headers = secure.Secure()
+
+        @app.middleware("http")
+        async def set_secure_headers(request, call_next):
+            response = await call_next(request)
+            secure_headers.framework.fastapi(response)
+            return response
 
     return app
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,3 +8,5 @@ COPY . /code
		RUN pip install --no-cache-dir --upgrade -r /code/src/docker_requirements.txt

		CMD ["kedro", "viz", "--host", "0.0.0.0", "--port", "4141", "--no-browser"]

		ENV ADD_SECURITY_HEADERS=true