Configure the Content Security Policy to embed resources externally

Embed a Foundry resource externally

In this section we review how to embed a Foundry resource such as a Workshop module on your organization’s own website. There are important considerations to review beforehand so make sure to read through all of the details and risks mentioned below.

The configuration requires editing the Content Security Policy found in Control Panel for your Foundry environment.

Update the Content Security Policy

Navigate to Control Panel in your Foundry environment and then locate the section for configuring your Content Security Policy. Note this section is only available to those who are designated as organization administrator or data governance officer in Control Panel.

In the text field add a new line as follows, or append to the existing frame-ancestors directive if it is already present in the text of the field:

frame-ancestors https://dashboard.examplesite.com

Replace the above URL with the URL where your organization plans to embed the Foundry resource, separating multiple URLs with a space. Remember to save when finished.

Content Security Policy configuration

Check your organization’s website settings

You might need to configure your organization's site to allow embedding. For example, in certain front-end environments it is common to limit what URLs you can iframe in it. If your organization has similar limitations, ensure that the Foundry platform's URL is allowlisted by adding Foundry as a source to your organization's frame-src directive.

Embed external resources in Foundry

You can embed external resources into Foundry applications. To do so, add the URL of your desired resource as a source for the frame-src directive in the Content Security Policy configuration panel. For example, if there is no frame-src directive in your configuration yet, add the line:

frame-src https://dashboard.examplesite.com

replacing the example URL as necessary. Remember to save to apply your changes.

As above, depending on your organization's site security settings, you may also need to allow Foundry as a source to the frame-ancestors directive in your organization's Content Security Policy configuration.

Considerations

It is important to review the following considerations while exploring this configuration for your organization.

Authentication

When the Foundry resource is successfully embedded on your organization’s website, users must be logged in to both your organization’s website and to Foundry. For security reasons, the login flow cannot be shown in an iframe; users must log into Foundry in another tab or window. You can configure an automation for your organization's website to automatically open the URL https://{my-foundry-url}/workspace/auth-redirect in a new tab or pop-up window and initiate the login flow. When login is complete, the tab or window will automatically close. Foundry’s core security principles will continue to apply to the embedded resource. This means that a user’s permissions as configured in Foundry will dictate their access to the embedded Foundry resource on your organization’s site.

Discovering your Foundry URL and discovering other users

It is possible a user can identify the URL of your Foundry environment by inspecting the browser calls required for embedding the Foundry resource on your organization’s website. In some cases this is not a relevant concern, for example, when you are embedding the Foundry resource on a site internal to your organization and everyone in your organization has access to your Foundry environment. But if you plan to embed the Foundry resource and share it with members of your organization that you do not want to discover your Foundry URL, then you should not proceed with embedding the Foundry resource.

Additionally, it is possible that a user could discover all other users if they are in the same Organization. Once they have identified the Foundry URL as described above, a user could navigate to Foundry and then to the Settings > Users section where they could view all other users in their Organization.

It is important to consider whether users should be able to discover other users of your Foundry environment. In some cases there are no concerns, for example, when all users are members of your organization and there is no issue with transparency of who has Foundry access. But if, for example, you will have members of your organization that you do not want to be able to discover who else in your organizations has Foundry access, then you should not proceed with embedding.