Web requests failing in the latest versions of Chrome, even if the WebAccess privilege is granted in capabilities.json #101
Description
Hello everyone
I have several custom visuals that are custom made for my clients and perform web requests to the client's backend as part of the visual's functionality.
This has always worked correctly, assuming of course the privilege is declared in capabilities.json:
"privileges": [
{
"name": "WebAccess",
"essential": true,
"parameters": [ "..."]
}
]Since a few days ago, we started getting reports from most of our users that our visuals were broken.
After diagnosing the issue, we came to the conclusion that this is due to the new Local network access restrictions that ships with the lates versions of Chrome.
In practice, what is happening is that Chrome is blocking any request from a custom visual that is going to any address considered "non public", which includes not only localhost but also intranet sites/apis that are part of a private company network or VPN, like for example the 10.x.x.x range.
Normally, this "feature" would just ask the user for permission to access the private network with a popup, which would be fine.
However, in case of Power Bi custom visuals, the visual is hosted inside a sandboxed iframe, and to make the call work the iframe needs the
sandbox="local-network-access"
attribute, that Power Bi is not setting.
Is there any workaround for this issue? Will Microsoft update the power bi service and correct the iframe sandbox configuration? I think this would be the only real solution for this (and please let me know if this is not the appropriate place to raise this issue, I wasn't sure)
Thanks for any feedback.