Like the author of this topic, I am trying to deploy my Streamlit app as a single container Azure Web App. I am running into the same problem with st.file_uploader returning a 403 error when Active Directory is used for authentication.

I disabled XSRF protection as suggested here and that fixes the problem. However, I do not understand enough about Streamlit’s architecture to know whether this is a viable long-term solution. The next steps presented in the documentation page are somewhat cryptic.

I am inclined to believe that this is not a great security risk if the app itself is behind authentication and CORS is disabled in the App Service settings but I do not know for sure. Does anyone have any solutions, hints or resources which would help me out?

Kudu seems to think that SameSite cookies are sent, but I do not see these when I open the site with the browser developer tools. Unfortunately, I am a bit out of my depth on the frontend / webdev side so I am not sure which information is useful to diagnose the problem.

HTTP headers

    Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Encoding=gzip, deflate, br
    Accept-Language=en-US,en;q=0.5
    CLIENT-IP=<ip:port>
    Cookie=ARRAffinity=<long string>; ARRAffinitySameSite=<same long string>; WebSSH2=<different long string>
    DISGUISED-HOST=<host>.scm.azurewebsites.net
    <...> et cetera 

I am also getting the following warning in browser dev tools:

Some cookies are misusing the recommended “SameSite“ attribute

Cookie “_xsrf” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN main.e71fafa4.chunk.js:1:653793

Cookie “_xsrf” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN 2 st-allowed-message-origins

Cookie “_xsrf” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN main.e71fafa4.chunk.js:1:653793

Cookie “_xsrf” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.