(superset) branch master updated: fix(embedded-sdk): grant fullscreen and clipboard-write by default (#39943)

Fri, 08 May 2026 00:29:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

EnxDev pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new d3784879c29 fix(embedded-sdk): grant fullscreen and clipboard-write by 
default (#39943)
d3784879c29 is described below

commit d3784879c2994908a405cd9502cfabf25d5b0f4a
Author: Enzo Martellucci <[email protected]>
AuthorDate: Fri May 8 09:28:55 2026 +0200

    fix(embedded-sdk): grant fullscreen and clipboard-write by default (#39943)
---
 superset-embedded-sdk/src/index.ts | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/superset-embedded-sdk/src/index.ts 
b/superset-embedded-sdk/src/index.ts
index e732a36c22f..2eb9f37181a 100644
--- a/superset-embedded-sdk/src/index.ts
+++ b/superset-embedded-sdk/src/index.ts
@@ -66,7 +66,7 @@ export type EmbedDashboardParams = {
   iframeTitle?: string;
   /** additional iframe sandbox attributes ex (allow-top-navigation, 
allow-popups-to-escape-sandbox) **/
   iframeSandboxExtras?: string[];
-  /** iframe allow attribute for Permissions Policy (e.g., ['clipboard-write', 
'fullscreen']) **/
+  /** Additional Permissions Policy features for the iframe's `allow` 
attribute (e.g., ['camera', 'microphone']). `fullscreen` and `clipboard-write` 
are granted by default. **/
   iframeAllowExtras?: string[];
   /** force a specific refererPolicy to be used in the iframe request **/
   referrerPolicy?: ReferrerPolicy;
@@ -233,9 +233,14 @@ export async function embedDashboard({
       iframe.src = `${supersetDomain}/embedded/${id}${urlParamsString}`;
       iframe.title = iframeTitle;
       iframe.style.background = 'transparent';
-      if (iframeAllowExtras.length > 0) {
-        iframe.setAttribute('allow', iframeAllowExtras.join('; '));
-      }
+      // Permissions Policy features the embedded dashboard relies on. Modern
+      // browsers gate these APIs on the iframe's `allow` attribute regardless
+      // of sandbox flags, so we include them by default. Host apps can extend
+      // the list via `iframeAllowExtras`.
+      const allowFeatures = Array.from(
+        new Set(['fullscreen', 'clipboard-write', ...iframeAllowExtras]),
+      );
+      iframe.setAttribute('allow', allowFeatures.join('; '));
       //@ts-ignore
       mountPoint.replaceChildren(iframe);
       log('placed the iframe');

Reply via email to