I have 2 domains, one that hosts my app - myapp
, and the other that hosts gooddata dashboards - analytics.myapp
. I would like to embed a gooddata dashboard to a page in my app. I have set the frame-src to allow requests from the domain where the dashboard is:
set $CSP "${CSP}; frame-src https://analytics.myapp.com/";
add_header Content-Security-Policy ${CSP};
I have also set the CORS
at the host analytics.myapp
to allow requests from myapp
domain:
ingress:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "http://localhost:10000, https://myapp.com"
I want to embed an iframe with content from the domain analytics.myapp
, which is possible to see only after you are authenticated, into a page on myapp
domain. Right now when I load the content the iframe is displaying a login page, and if I try to log in through an iframe, I get an error:
Blocked autofocusing on a <input> element in a cross-origin subframe.
If I login to the analytics.myapp
with a user in a different tab that doesn't work, since cookies are not sent to the myapp
domain.
I see that it is possible to authenticate through an api in their docs. And they also have docs on how to embed their dashboard, but in order to see the embedded dashboard docs say:
Users must be workspace members to see the embedded dashboard.
I don't have SSO (single sign on) implemented yet, but I wonder once I implement it, will there be still issues with CORS? I would imagine that once I implement this, and a user from myapp
domain goes to a page where I have an iframe with the embedded dashboard from analytics.myapp
, that they will be redirected to an auth endpoint on myapp
where user will be authenticated through SSO for analytics.myapp
and redirected back to analytics.myapp
with the user data.
Now is that the correct flow and will that work with an iframe, are there any CORS issues with this, and can that be implemented like that?