search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
34.54k stars 3.73k forks source link

[Bug]: Unable to Embed PowerBI Embedded report on Appsmith #30754

Closed sudheerkumarDAC closed 8 months ago

sudheerkumarDAC commented 9 months ago

Is there an existing issue for this?

Description

I want to embed a PowerBI Report that use authentication tokens and I want to embed it on to an IFrame. I am using an HTML Page that will act as the srcDoc for an IFrame on an Appsmith page. The below HTML code works fine and dispays the report with out an issue, but IFram on Appsmith fails to load the same report. There are no errors displayed too. I am attaching the HTML file, that has a content which will be given as the source of the IFrame. PowerBIEmbedHtml.txt

Please comment more details are required on this.

Steps To Reproduce

  1. Create an Appsmith page
  2. Add an IFrame widget
  3. Provide the content of the file attached as the source of the IFrame
  4. The Iframe tries to load PowerBI report, but fails to load the report. No errors are displayed on the appsmith tool bar below.

Public Sample App

No response

Environment

Production

Issue video log

No response

Version

Appsmith Community v1.9.39

Nikhil-Nandagopal commented 9 months ago

@sudheerkumarDAC the text you have uploaded only contains the client ID and secret. I think this information is sensitive and you may want to consider removing it. It's not a HTML file so I'm closing this issue till you update the file

sudheerkumarDAC commented 9 months ago

@Nikhil-Nandagopal Thanks for the update. I am very sorry.. I uploaded wrong file.. attaching the correct file... PowerBIEmbedHtml.txt

sudheerkumarDAC commented 9 months ago

Hi Nikhil, I am very sorry.. I gave uploaded the right file on the ticket. Thanks for the alert... If you need fresh values in the file to test, please let me know But it will be valid only for 20 mins..

On Thu, Feb 1, 2024 at 7:48 PM Nikhil Nandagopal @.***> wrote:

@sudheerkumarDAC https://github.com/sudheerkumarDAC the text you have uploaded only contains the client ID and secret. I think this information is sensitive and you may want to consider removing it. It's not a HTML file so I'm closing this issue till you update the file

— Reply to this email directly, view it on GitHub https://github.com/appsmithorg/appsmith/issues/30754#issuecomment-1921444601, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBLEECPLDKZTY44MICRI6W3YROP4BAVCNFSM6AAAAABCRKG2W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRRGQ2DINRQGE . You are receiving this because you were mentioned.Message ID: @.***>

--

Best Regards,

Sudheer Kumar Principal Architect digitalAPICRAFT https://urldefense.com/v3/__http:/digitalapicraft.com/__;!!LSAcJDlP!kCaHF4GFLiVq9lM98pk7djODIg6EpD5QXTpAVx_ZEynEnQA0B6-6zNfEYrrS16DC7jlyZUjW$

M: +91 9886743928

sbalaji1192 commented 9 months ago

@sudheerkumarDAC This could be an issue with sandboxing of the iframe widget. you can disable it by updating the following env variable APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX. More info can be found here - https://docs.appsmith.com/product/security#sandboxed-iframe-widgets Can you try this once?

sudheerkumarDAC commented 9 months ago

Thanks @sbalaji1192! When I set the flag : APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX=true, it is able to load the powerBI report successfully. Please elaborate on any security implications are there due to this as the document says: "Setting this variable to true removes the sandboxing attributes, and hence, should be done judiciously, acknowledging the potential implications for security."

[image: Screenshot 2024-02-05 at 2.14.03 PM.png]

On Fri, Feb 2, 2024 at 2:46 PM balajisoundar @.***> wrote:

@sudheerkumarDAC https://github.com/sudheerkumarDAC This could be an issue with sandboxing of the iframe widget. you can disable it by updating the following env variable APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX . More info can be found here - https://docs.appsmith.com/product/security#sandboxed-iframe-widgets Can you try this once?

— Reply to this email directly, view it on GitHub https://github.com/appsmithorg/appsmith/issues/30754#issuecomment-1923387606, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBLEECKY37WVI75OEJ2GRQDYRSVFLAVCNFSM6AAAAABCRKG2W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRTGM4DONRQGY . You are receiving this because you were mentioned.Message ID: @.***>

--

Best Regards,

Sudheer Kumar Principal Architect digitalAPICRAFT https://urldefense.com/v3/__http:/digitalapicraft.com/__;!!LSAcJDlP!kCaHF4GFLiVq9lM98pk7djODIg6EpD5QXTpAVx_ZEynEnQA0B6-6zNfEYrrS16DC7jlyZUjW$

M: +91 9886743928

sbalaji1192 commented 9 months ago

@sudheerkumarDAC By default the flag is disabled to mitigate Xss attacks.

sudheerkumarDAC commented 9 months ago

Thanks for the update!

On Tue, Feb 6, 2024 at 4:02 PM balajisoundar @.***> wrote:

@sudheerkumarDAC https://github.com/sudheerkumarDAC By default the flag is disabled to mitigate Xss attacks https://owasp.org/www-community/attacks/Cross_Frame_Scripting.

— Reply to this email directly, view it on GitHub https://github.com/appsmithorg/appsmith/issues/30754#issuecomment-1929220411, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBLEECOK33MFTSOTZ4Q5H43YSIBEHAVCNFSM6AAAAABCRKG2W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRZGIZDANBRGE . You are receiving this because you were mentioned.Message ID: @.***>

--

Best Regards,

Sudheer Kumar Principal Architect digitalAPICRAFT https://urldefense.com/v3/__http:/digitalapicraft.com/__;!!LSAcJDlP!kCaHF4GFLiVq9lM98pk7djODIg6EpD5QXTpAVx_ZEynEnQA0B6-6zNfEYrrS16DC7jlyZUjW$

M: +91 9886743928