Apache Superset Iframe Issue: SESSION_COOKIE_SAMESITE=None Still Defaults to LAX

Question

Questions:

1. Why is Superset not respecting SESSION_COOKIE_SAMESITE=None?
2. Do I need to explicitly set this in Dockerfile or environment variables?
3. Is there any other configuration overriding this setting?

Any help or insights would be greatly appreciated!

I'm trying to embed an Apache Superset dashboard inside an iframe, but the browser enforces SameSite=Lax for the session cookie, even though my superset_config.py explicitly sets:

SESSION_COOKIE_SAMESITE = "None"
SESSION_COOKIE_SECURE = True

When I check the running container, the configuration appears correctly inside the superset_config.py file. However, inspecting cookies in the browser shows:

Set-Cookie: session=xxxx; Path=/; Secure; HttpOnly; SameSite=Lax

What I've Tried:

1. Verified the superset_config.py file inside the running container using:

docker exec -it <superset_container_id> cat /app/pythonpath/superset_config.py

2. Restarted Superset

3. Cleared browser cookies and cache. Tested with multiple browsers.

Questions:

1. Why is Superset not respecting SESSION_COOKIE_SAMESITE=None?
2. Do I need to explicitly set this in Dockerfile or environment variables?
3. Is there any other configuration overriding this setting?

Any help or insights would be greatly appreciated!