fix(embedded-sdk): grant fullscreen and clipboard-write by default

[EnxDev]

SUMMARY

The Embedded SDK creates its iframe without an allow attribute, so modern browsers block the Fullscreen API in cross-origin iframes with the error Disallowed by permissions policy. As a result the chart Enter Fullscreen action is broken in every embedded dashboard out of the box.

The chart code calls Element.requestFullscreen() (see superset-frontend/src/dashboard/components/SliceHeaderControls/index.tsx), which is gated by Permissions Policy independently of the iframe's sandbox attribute; allow-presentation alone does not satisfy the policy.

This change always sets allow="fullscreen; clipboard-write" on the iframe and merges any host-supplied iframeAllowExtras on top (deduped), so the two SDK-driven features that need Permissions Policy work without the host having to opt in. clipboard-write is included alongside because the existing "Copy permalink to clipboard" feature has the same class of bug.

The iframeAllowExtras option remains backwards compatible: hosts that already pass it just get their entries merged with the new defaults.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

Before

• Embedded iframe has no allow attribute.
• requestFullscreen() from chart code throws "Disallowed by permissions policy"; user sees a toast Error enabling fullscreen: Disallowed by permissions policy and the chart never enters fullscreen.

Recording.2026-05-07.100024.mp4

After

• Embedded iframe is rendered with allow="fullscreen; clipboard-write".
• Enter Fullscreen works; no toast error; Esc exits cleanly.
• Hosts that supply iframeAllowExtras: ['camera'] get allow="fullscreen; clipboard-write; camera" (defaults preserved, extras appended, no duplicates).

after.mp4

TESTING INSTRUCTIONS

1. Build the SDK:
   cd superset-embedded-sdk
   npm install
   npm run build

2. In a host app that consumes @superset-ui/embedded-sdk, point at the local build (e.g. npm install ../superset/superset- embedded-sdk) and call embedDashboard({...}) against a Superset dashboard with embedding enabled.

3. Open the host page in Chrome → DevTools → Elements → locate the injected <iframe>. Confirm it has:
   allow="fullscreen; clipboard-write"

4. Inside the embedded dashboard, hover over any chart → click the ⋯ menu in the top-right corner → click Enter Fullscreen.
   Before this PR: red toast Error enabling fullscreen: Disallowed by permissions policy. Chart does not enter fullscreen.
   After this PR: chart enters fullscreen; press Esc to exit. No toast.

5. Pre-fix regression guard: temporarily revert iframe.setAttribute('allow', allowFeatures.join('; ')) in superset-embedded-sdk/src/index.ts, rebuild, reload the host page → the original error toast appears again. Restore the line and the error is gone.

6. iframeAllowExtras merging: pass iframeAllowExtras: ['camera'] in the host call. The iframe's allow attribute should now read allow="fullscreen; clipboard-write; camera" — defaults preserved, extras appended, no duplicates.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #dda535

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: fd61cba..fd61cba

  • superset-embedded-sdk/src/index.ts
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Eslint (Linter) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[michaelmorera-preset]

The application is working as expected. The chart can be set as full screen as expected. ✅

Scenario

When the user enters Fullscreen chart option in embedded dashboards, the error message Disallowed by permissions policy is not displayed

Steps

1. Open an application page that renders a Superset embedded dashboard in an iframe, and make sure the dashboard loads successfully.
2. On any chart in the embedded dashboard, open the chart menu and click Enter Fullscreen.

Current result

After the step 2, the chart is entering in fullscreen mode inside the embedded dashboard without errors, and no Disallowed by permissions policy message appears in the browser console or UI.

Evidence