I have 2 domains, one that hosts my app - myapp, and the other that hosts gooddata dashboards - analytics.myapp. I would like to embed a gooddata dashboard to a page in my app. I have set the frame-src to allow requests from the domain where the dashboard is:
set $CSP "${CSP}; frame-src https://analytics.myapp.com/";
add_header Content-Security-Policy ${CSP};
I have also set the CORS at the host analytics.myapp to allow requests from myapp domain:
ingress:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "http://localhost:10000, https://myapp.com"
I want to embed an iframe with content from the domain analytics.myapp, which is possible to see only after you are authenticated, into a page on myapp domain. Right now when I load the content the iframe is displaying a login page, and if I try to log in through an iframe, I get an error:
Blocked autofocusing on a <input> element in a cross-origin subframe.
If I login to the analytics.myapp with a user in a different tab that doesn't work, since cookies are not sent to the myapp domain.
I see that it is possible to authenticate through an api in their docs. And they also have docs on how to embed their dashboard, but in order to see the embedded dashboard docs say:
Users must be workspace members to see the embedded dashboard.
I don't have SSO (single sign on) implemented yet, but I wonder once I implement it, will there be still issues with CORS? I would imagine that once I implement this, and a user from myapp domain goes to a page where I have an iframe with the embedded dashboard from analytics.myapp, that they will be redirected to an auth endpoint on myapp where user will be authenticated through SSO for analytics.myapp and redirected back to analytics.myapp with the user data.
Now is that the correct flow and will that work with an iframe, are there any CORS issues with this, and can that be implemented like that?