This is an automated email from the ASF dual-hosted git repository.
vavila pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 6042ea8f28 feat(embedded): Force a specific referrerPolicy for the
iframe request (#32735)
6042ea8f28 is described below
commit 6042ea8f282b0f24a7b63af6c9cda95cd2239596
Author: Vitor Avila <[email protected]>
AuthorDate: Wed Mar 19 15:44:07 2025 -0300
feat(embedded): Force a specific referrerPolicy for the iframe request
(#32735)
---
superset-embedded-sdk/README.md | 12 +++++++++++-
superset-embedded-sdk/src/index.ts | 9 ++++++++-
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/superset-embedded-sdk/README.md b/superset-embedded-sdk/README.md
index 377720dd3b..63d8e70618 100644
--- a/superset-embedded-sdk/README.md
+++ b/superset-embedded-sdk/README.md
@@ -60,7 +60,9 @@ embedDashboard({
}
},
// optional additional iframe sandbox attributes
- iframeSandboxExtras: ['allow-top-navigation',
'allow-popups-to-escape-sandbox']
+ iframeSandboxExtras: ['allow-top-navigation',
'allow-popups-to-escape-sandbox'],
+ // optional config to enforce a particular referrerPolicy
+ referrerPolicy: "same-origin"
});
```
@@ -146,3 +148,11 @@ To pass additional sandbox attributes you can use
`iframeSandboxExtras`:
// optional additional iframe sandbox attributes
iframeSandboxExtras: ['allow-top-navigation',
'allow-popups-to-escape-sandbox']
```
+
+### Enforcing a ReferrerPolicy on the request triggered by the iframe
+
+By default, the Embedded SDK creates an `iframe` element without a
`referrerPolicy` value enforced. This means that a policy defined for `iframe`
elements at the host app level would reflect to it.
+
+This can be an issue as during the embedded enablement for a dashboard it's
possible to specify which domain(s) are allowed to embed the dashboard, and
this validation happens throuth the `Referrer` header. That said, in case the
hosting app has a more restrictive policy that would omit this header, this
validation would fail.
+
+Use the `referrerPolicy` parameter in the `embedDashboard` method to specify
[a particular
policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy)
that works for your implementation.
diff --git a/superset-embedded-sdk/src/index.ts
b/superset-embedded-sdk/src/index.ts
index 063db77fb7..7bcf5dcd2e 100644
--- a/superset-embedded-sdk/src/index.ts
+++ b/superset-embedded-sdk/src/index.ts
@@ -64,6 +64,8 @@ export type EmbedDashboardParams = {
iframeTitle?: string
/** additional iframe sandbox attributes ex (allow-top-navigation,
allow-popups-to-escape-sandbox) **/
iframeSandboxExtras?: string[]
+ /** force a specific refererPolicy to be used in the iframe request **/
+ referrerPolicy?: ReferrerPolicy
}
export type Size = {
@@ -88,7 +90,8 @@ export async function embedDashboard({
dashboardUiConfig,
debug = false,
iframeTitle = "Embedded Dashboard",
- iframeSandboxExtras = []
+ iframeSandboxExtras = [],
+ referrerPolicy,
}: EmbedDashboardParams): Promise<EmbeddedDashboard> {
function log(...info: unknown[]) {
if (debug) {
@@ -142,6 +145,10 @@ export async function embedDashboard({
iframeSandboxExtras.forEach((key: string) => {
iframe.sandbox.add(key);
});
+ // force a specific refererPolicy to be used in the iframe request
+ if(referrerPolicy) {
+ iframe.referrerPolicy = referrerPolicy;
+ }
// add the event listener before setting src, to be 100% sure that we
capture the load event
iframe.addEventListener('load', () => {
