Mapbox Visual for Power BI - High performance, custom map visuals for Power BI dashboards. This version of Mapbox Visual for Microsoft Power BI is no longer maintained. You can find the live and maintained version of the plugin at: https://github.com/starschema/mapboxgl-powerbi.
MIT License
127
stars
52
forks
source link
Potential security issue against the token for publicly shared reports #393
Hello,
I've found an issue when you restrict a token usage to a public power bi URL.
We use power bi to disseminate data, so we really need to share these reports publicly.
The problem is, when you open your web browser console, you can see Mapbox requests that clearly include your token.
Thus, a malicious person could use your token on your behalf.
It's for that reason that, in your Mapbox account, you can restrict the usage of your token only for specific URLs, but that's not working for power bi public reports. Now, when I inspect the console, I can see that request responses returns "access forbidden".
mate-turi
commented
2 years ago
Hello, I've found an issue when you restrict a token usage to a public power bi URL.
We use power bi to disseminate data, so we really need to share these reports publicly. The problem is, when you open your web browser console, you can see Mapbox requests that clearly include your token. Thus, a malicious person could use your token on your behalf. It's for that reason that, in your Mapbox account, you can restrict the usage of your token only for specific URLs, but that's not working for power bi public reports. Now, when I inspect the console, I can see that request responses returns "access forbidden".
The report public URL looks like that:
The publish button on power bi's online interface, when you open a report (Publish to web):
Thank you