CODEWITHSUNDEEP
iframepowerbicontent-security-policypowerbi-custom-visuals
Ajinkya Mogal
Ajinkya Mogal

Reputation: 1

Iframing URL in PowerBI using Custom Visual

I want to embedded a url (www.example.com) in powerBI using custom visual in iframe.It gives CSP error even though I have whitelisted the urls from both side. In custom visual I have added the url(www.example.com) that I want to load in privilege in capabilities.json

"privileges": [
        {
            "name": "WebAccess",
            "essential": true,
            "parameters": [
                "https://www.wikipedia.org/",
                "https://www.example.com"
            ]
        }
    ]

and also whitelisted https://app.powerbi.com in server of that url(www.example.com) still the error is

Refused to frame 'https://www.example.com' because an ancestor violates the following Content Security Pality directive: "frame-ancestors 'self' https://app.рowerbi.com".

I didnt get what went wrong, what am I missing.

note: it only

works on firefox.

What is the reason of this error ? How to resolve it as I have done everything possible.

Upvotes: 0

Views: 27

Answers (1)

Daniel Marsh-Patrick
Daniel Marsh-Patrick

Reputation: 171

The short answer is that you're doing as much as you can right from your end, but it most likely won't work.

Longer form: This answer details the problem in the context of the third-party sites you're attempting to embed. To explain the Power BI side - because Power BI custom visuals are sandboxed iframes themselves, they are subject to the permissions that Microsoft imposes on them. One of these is they remove the domain on a custom visual to null so that it can't impersonate the powerbi.com domain or use its privileges that might be allowed by the content security policies of external sites.

So, you can add a site to the whitelist for WebAccess, but it doesn't necessarily mean that the external site will honor it due to how they have set up their own content security policies. Microsoft will not make custom visuals any less permissive than they are currently, so you would need to request any potential third-party sites to allow this from their end to successfully embed their content within a Power BI custom visual.

I have a very old article for the HTML Content visual I wrote here, as it's a common scenario for my users and comes up a lot. It pre-dates MS's move to content security policy for custom visuals (when they used CORS), but the basics are the same.

Upvotes: 0

Related Questions