Get certified for free when you join Fabric Data Days 2026 and dive into Fabric, Power BI, SQL, AI, and other essential data skills.
Join nowJuly 7 - July 17 | Round 2 of the Power BI Dataviz World Championships. Don't miss your chance! Learn more
I am writing to seek clarification regarding the iFrame sandbox permissions for custom visuals in PowerBI. Specifically, since the sandbox only supports the "allow-scripts" permission, I am concerned about its impact on cross-domain requests.
Could this limitation be causing issues when attempting to pull origin information or resulting in null values when sending POST/OPTIONS requests to other domains? If so, what solutions are available to address this issue? Additionally, is it possible to loosen the restriction on sandbox permissions, or is there an alternative method to successfully pull origin information under the current constraints?
Hi @jeromexshi,
All you can do to get successful responses from an endpoint is if the Access-Control-Allow-Origin response header is configured as * or null (as custom visuals have a null origin due to the sandbox impositions). If you cannot work to these constraints, then there is currently no known workaround.
If these have been set, then HTTP(S) endpoints should be callable per usual JS fetch methods.
Regards,
Daniel
Proud to be a Super User!
On how to ask a technical question, if you really want an answer (courtesy of SQLBI)
Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.
Join Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.
| User | Count |
|---|---|
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 1 |