apache · mistercrunch · Sep 15, 2017 · Jul 11, 2017
diff --git a/docs/installation.rst b/docs/installation.rst
@@ -157,6 +157,8 @@ of the parameters you can copy / paste in that configuration module: ::
 
     # Flask-WTF flag for CSRF
     WTF_CSRF_ENABLED = True
+    # Add endpoints that need to be exempt from CSRF protection
+    WTF_CSRF_EXEMPT_LIST = []
 
     # Set this API key to enable Mapbox visualizations
     MAPBOX_API_KEY = ''
@@ -172,6 +174,11 @@ Please make sure to change:
 * *SQLALCHEMY_DATABASE_URI*, by default it is stored at *~/.superset/superset.db*
 * *SECRET_KEY*, to a long random string
 
+In case you need to exempt endpoints from CSRF, e.g. you are running a custom
+auth postback endpoint, you can add them to *WTF_CSRF_EXEMPT_LIST*
+
+     WTF_CSRF_EXEMPT_LIST = ['']
+
 Database dependencies
 ---------------------
 

diff --git a/superset/__init__.py b/superset/__init__.py
@@ -83,6 +83,9 @@ def get_js_manifest():
 
 if conf.get('WTF_CSRF_ENABLED'):
     csrf = CSRFProtect(app)
+    csrf_exempt_list = conf.get('WTF_CSRF_EXEMPT_LIST', [])
+    for ex in csrf_exempt_list:
+        csrf.exempt(ex)
 
 utils.pessimistic_connection_handling(db.engine)
 

diff --git a/superset/config.py b/superset/config.py
@@ -66,6 +66,9 @@
 # Flask-WTF flag for CSRF
 WTF_CSRF_ENABLED = True
 
+# Add endpoints that need to be exempt from CSRF protection
+WTF_CSRF_EXEMPT_LIST = []
+
 # Whether to run the web server in debug mode or not
 DEBUG = False
 FLASK_USE_RELOAD = True