backstage
Referrer is not set when attempting to embed a 3rd party page
📜 Issue Labels
- [x] Please familiarize yourself with the issue labels used in this project: LABELS.md
🔎 Search Terms
datadog referrer iframe origin
🗃️ Project Area
Catalog
🔗 External Integration
Other
📝 Description & Context
When attempting to embed a datadog graph as mentioned in this document it appears impossible to fetch the said graph if it's restricted by the Referrer, because the catalog page appears not to be sending one in the headers:
Specifically - it appears that backstage by default sets its Referrer Policy to 'no-referrer', and there seems not to be any setting in app-config.yaml that allows to change this. Would it be possible to have one?
👍 Expected Behavior
Having a setting that looks something like
app:
referrerPolicy: strict-origin-when-cross-origin
In order to be able to pass the referrer to the embedded webpages so that they may validate it and return 200
📦 Reproduction Repo
No response
🥾 Reproduction steps
- Follow the Official guide to embed a datadog dashboard
- restrict the said dashboard to the value of your backstages'
window.location.origin - load the catalog page of the entity that's got the dashboard embedded
Have you read the Code of Conduct?
- [x] I have read the Code of Conduct
Are you willing to submit PR?
No, but I'm happy to collaborate on a PR with someone else
it appears that backstage by default sets its Referrer Policy to 'no-referrer'
This is the default policy of the helmet middleware that's being added by default to all routes. It does have some configurability, which is fetched here. Indeed, it does not set the referrerPolicy at this time but it could be added. Opening up for contributions!
Hi @vandr0iy, Freben left comments on the PR you linked. Please take a look when you have some time 🙂 .
