From d3784879c2994908a405cd9502cfabf25d5b0f4a Mon Sep 17 00:00:00 2001 From: Enzo Martellucci <52219496+EnxDev@users.noreply.github.com> Date: Fri, 8 May 2026 09:28:55 +0200 Subject: [PATCH] fix(embedded-sdk): grant fullscreen and clipboard-write by default (#39943) --- superset-embedded-sdk/src/index.ts | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/superset-embedded-sdk/src/index.ts b/superset-embedded-sdk/src/index.ts index e732a36c22f..2eb9f37181a 100644 --- a/superset-embedded-sdk/src/index.ts +++ b/superset-embedded-sdk/src/index.ts @@ -66,7 +66,7 @@ export type EmbedDashboardParams = { iframeTitle?: string; /** additional iframe sandbox attributes ex (allow-top-navigation, allow-popups-to-escape-sandbox) **/ iframeSandboxExtras?: string[]; - /** iframe allow attribute for Permissions Policy (e.g., ['clipboard-write', 'fullscreen']) **/ + /** Additional Permissions Policy features for the iframe's `allow` attribute (e.g., ['camera', 'microphone']). `fullscreen` and `clipboard-write` are granted by default. **/ iframeAllowExtras?: string[]; /** force a specific refererPolicy to be used in the iframe request **/ referrerPolicy?: ReferrerPolicy; @@ -233,9 +233,14 @@ export async function embedDashboard({ iframe.src = `${supersetDomain}/embedded/${id}${urlParamsString}`; iframe.title = iframeTitle; iframe.style.background = 'transparent'; - if (iframeAllowExtras.length > 0) { - iframe.setAttribute('allow', iframeAllowExtras.join('; ')); - } + // Permissions Policy features the embedded dashboard relies on. Modern + // browsers gate these APIs on the iframe's `allow` attribute regardless + // of sandbox flags, so we include them by default. Host apps can extend + // the list via `iframeAllowExtras`. + const allowFeatures = Array.from( + new Set(['fullscreen', 'clipboard-write', ...iframeAllowExtras]), + ); + iframe.setAttribute('allow', allowFeatures.join('; ')); //@ts-ignore mountPoint.replaceChildren(iframe); log('placed the iframe');