Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
tarockx
Regular Visitor

Third-party cookies and Custom Visuals that make web requests

Hello everyone

 

I'm writing this post in regards to the imminent deprecation of "third party" (i.e.: cross-site) cookies in browsers like Chrome and others.

 

My company has developed several custom visuals that make web requests to our backend services in order to fetch data.

Of course these calls rely on cookies to make sure users are authenticated on our backend services and properly authorized.

 

Until now, this was possible without issues. What we did in our visuals until now is this:

  • We make a GET request to our backend to check if the user has their authentication cookie set
  • If authentication fails, we open a new tab using host.launchUrl(https://our_backend_login_page) where the user can authenticate, and in the custom visual we start polling the backend to check when the user has logged in
  • When the backend replies with success, it means the cookie has been set and the user is authenticated. We can now load the rest of the visual

Thanks to the "WebAccess" privilege, that allows us to make cross-site requests to specific domains without any problem, this worked perfectly until now. However, the new policy in Chrome and other browsers will soon break this mechanism, as Chrome itself lets you know:

tarockx_0-1708364351969.png

 

Now, in their guide here, Google suggests various alternatives to third-party cookies, but from my preliminary research and tests the two main ones do not seem promising:

  • The CHIPS method (aka: partitioned cookies) seems to not be applicable here, because it requires the partitioned cookie to be set from within the embedding site... but I cannot embed my site directly in the visuals, because the visuals themselves are sandboxed iframes (that is why I do the open new tab + polling method instead, like I described before)
  • The Storage Access API method seems, on paper, to be exactly what we need: we can just explicitly request access to the user and if they accept third-party cookies will start working again. However, when I tried to implement the suggested flow, it doesn't work. Specifically, I get the following error when trying to invoke the document.requestStorageAccess() method:
    tarockx_1-1708365015802.png

    I cannot find much info on this error but, like the problem with the CHIPS method, it seems to be related to the fact the the Custom Visuals iframes are sandboxed and configured so that a call to window.origin returns null.

Now, can anyone tell me if I did something wrong, or am I correct in what I just wrote? Am I missing something? Are the ways to implement one of those two approaches in a PoweBI custom visual?

 

If the answer is no, does anyone know of any alternative solutions? The only thing I can think of is using the recently introduced option to access the local storage from a Custom Visual to store an authentication token (for example: JWT). However, this is not as straightforward as it sounds, because we must first ACQUIRE the authentication token somehow. I've thought of some hacky workarounds, but nothing that sounds like a proper solution. Does anyone have any better ideas?

 

Thanks in advance for your support.

1 ACCEPTED SOLUTION
tarockx
Regular Visitor

Just in case someone else is having this question: I spoke with Microsoft tech support, and unfortunately they say there is no way around this and no further implementations will be done to alleviate this issue.

 

The only other option is using the authentication API, but be aware of the fact that it is only available for certified visuals and also is only compatible with backends that use Entra ID authentication.

View solution in original post

3 REPLIES 3
tarockx
Regular Visitor

Just in case someone else is having this question: I spoke with Microsoft tech support, and unfortunately they say there is no way around this and no further implementations will be done to alleviate this issue.

 

The only other option is using the authentication API, but be aware of the fact that it is only available for certified visuals and also is only compatible with backends that use Entra ID authentication.

tarockx
Regular Visitor

Is there really nobody that is facing this same situation? Really? I'm kinda surprised by that.

Do you think I should open a ticket to MS about this? Can anyone tell me where it would be approriate to do it?

If you have a Pro license you can open a Pro ticket at https://admin.powerplatform.microsoft.com/newsupportticket/powerbi
Otherwise you can raise an issue at https://community.fabric.microsoft.com/t5/Issues/idb-p/Issues .

Helpful resources

Announcements
Sept PBI Carousel

Power BI Monthly Update - September 2024

Check out the September 2024 Power BI update to learn about new features.

September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Sept NL Carousel

Fabric Community Update - September 2024

Find out what's new and trending in the Fabric Community.

Top Kudoed Authors