Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Try your skills in the Power BI Dataviz World Championship! Round one ends June 26. Join now

andyward

Custom visual development - access to external resources using domain-names with hyphens is broken.

Submitted by on ‎12-20-2022 02:34 PM

When developing a custom visual that needs to access external resources you can white list domains to permit web access as per https://learn.microsoft.com/en-us/power-bi/developer/visuals/capabilities#allow-web-access

... this updates the CSP's default-src policy with the permitted domains

 

In the stated above example in the developer docs if you change the config to use a domain name containing a hyphen it will prevent all access to the web from a powerBI visual.

 
e.g. in this example, changing the 2nd parameter to example-site.com (from example.com) will prevent all access to any sites, including api.microsoft.com.
 

 

 

{
    "name": "WebAccess",
    "essential": true,
    "parameters": [ "https://*.microsoft.com", "http://example-site.com" ]
}​

 

 

It seems like hypens in domain names cause the CSP to not be formed as expected

 

Status: Investigating
See more ideas labeled with:
3 Comments (3 New)
Comments
Anonymous
Not applicable
‎12-21-2022 11:55 PM

Hi @andyward ,

 

This looks more like a product improvement than a feature bug.

If you would like to suggest  feature improvements, you may  vote the idea and comment here  to improve this feature. It is a place for customers provide feedback about Microsoft Office products . What’s more, if a feedback is high voted there by other customers, it will be promising that Microsoft Product Team will take it into consideration when designing the next version in the future.

 

Best Regards,
Community Support Team _ Caitlyn

andyward
Regular Visitor
‎12-22-2022 12:01 AM

If you've got a dash/hyphen in your domainname it's a complete blocker for external access. I worked around it using our Azure FQDN rather than the public domain, but it meant I had to wildcard *.azurewebsites.net rather than {guid-identifier-with-dashes}.azurewebsites.net

 

May not be a bug, but it's an omission/oversight IMO

andyward
Regular Visitor
‎12-20-2023 03:19 AM

Any update on this? Can I make another request that this be considered a bug, not a feature request?

 

Domain names containing a 'dash' / hypen are fully legal according to RFC1035 (DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION): see page 7: 

<let-dig-hyp> ::= <let-dig> | "-"

As the custom visual whitelisting code is currently implemented it seems the WebAccess sanitisation precent generation of the CSP completely for custom visuals that need to whitelist access to any resource that contains a hyphen. So just adding one domain with a hypen into the custom visual's Web access parameters list breaks all whitelisted web access for all domains.

 

Domains containing hypens are not unusual. Just looking at a random list of top 100 websites shows a few high profile sites with domains that could not whitelist a visual with their own domain due this issue:

 

  • coca-cola.com
  • t-mobile.com
  • merriam-webster.com
  • harley-davidson.com

And as mentioned earlier, a lot of folks with azurewebsites.net sites use '-' in their instance name.

 

Surely this bug should be fixed?

Idea Statuses