removed global flag from valid embed hosts validation to resolve bug introduced with 2.23.0 release:
Issue reported [here](https://community.fabric.microsoft.com/t5/Developer/bd-p/Developer) and by @<Sergey Pustynsky> from datahub (attaching Sergey's description):
We started to get
"Invalid embed URL detected. Either URL hostname or protocol are invalid. Please use Power BI REST APIs to get the valid URL";
in Datahub embed scenario. We have 2 tabs, each one renders iframe with different configs. Once it rendered OK, 2nd time fails on error.
It caused by this code, which looks valid
The result of this check is inconsistent (once returns true, once false) over the same data. It's possibly related to RegEx statefullness.
Do we really need this global flag in RegEx definition?
Symptoms:
`When a RegExp object is created with the global (g) or sticky (y) flag, it maintains an internal lastIndex property. This property is used to determine where to start the next match attempt during subsequent calls to .test() or .exec() methods. After each match attempt, lastIndex is updated. This means if a match is found, the next call to .test() will start searching from the position after the last match, which can lead to the following outcomes:
If the next call does not find a match (because it starts searching from a non-zero lastIndex), .test() will return false.
If you call .test() again after it returns false, lastIndex is reset to 0, and the regex is evaluated from the beginning of the string, potentially returning true again if a match is found from the start.`
Related work items: #1362247
Client-side APIs are not supported for rdl reports.
Ideally, we should refactor our code to have one validation for all APIs. This requires major changes in the SDK code. So, I added this missing validation per request from customer especially that this API name is not clear that it is Power BI report specifc and might be misleading for customers.
[Incident 474677846 : [PowerBI] CSS - Embedded (User Owns Data/Apps Owns Data): <Programmatic refresh of paginated report in embedded doesn't work>](https://portal.microsofticm.com/imp/v3/incidents/incident/474677846/summary)
Following MSRC case as malicious site can be injected as the embed iframe src, added embed URL validation to ensure the host is an allowed PBI src.
A valid embed url protocol is "https:"
The valid hosts names are ([retrieved from EV2-deployment repository - all of ida_PowerBIFeUrl key values](https://dev.azure.com/powerbi/PowerBIClients/_search?action=contents&text=ida_PowerBIFeUrl path%3A*envParams*&type=code&lp=code-Project&filters=ProjectFilters{PowerBIClients}RepositoryFilters{PowerBIClients-EV2-Deployment}&pageSize=25&result=DefaultCollection/PowerBIClients/PowerBIClients-EV2-Deployment/GBmaster//WFE/AppService/ADM/Public/INT/envParams.txt)):
- app.powerbi.com,
- app.powerbi.cn,
- app.powerbigov.us,
- app.mil.powerbigov.us,
- app.high.powerbigov.us,
- app.powerbi.eaglex.ic.gov,
- app.powerbi.microsoft.scloud,
- powerbi-df.analysis-df.windows.net,
- CST WFE URLs: 'https://{cst-name}.analysis.windows-int.net'
- daily.powerbi.com
- dxt.powerbi.com
- msit.powerbi.com
Embed URL validation should include fabric embed URL.
All of the above should be covered by the following regex expressions:
.+\.powerbi.com$
- daily.powerbi.com
- dxt.powerbi.com
- msit.powerbi.com
- app.powerbi.com
FF: ^app(.mil.|.high.|.)powerbigov.us$
- app.powerbigov.us,
- app.mil.powerbigov.us,
- app.high.powerbigov.us
Edog: .+\.analysis-df.windows.net$
Onebox and CSTs: .+\.analysis.windows-int.net$
Fabric URLs: .+\.fabric.microsoft.com$
**Please look into the test cases in utils.spec.ts to see the valid and invalid embe urls**
Related work items: #1245653
Minor version bump 2.22.3
This release will contain 1 change:
Pull Request 383914: [JavaScript SDK]: Add Create export in the JavaScript SDK
We need to release the export of create interface so we can consume it in SDK wrppers
Add report on blur event - lose focus
Two new methods added:
- clearVisualsSelection() -- Clears selected not popped out visuals, if flag is passed, all visuals selections will be cleared.
- closeAllOverlays() -- Closes all open PBI overlays (context menus, tooltips...)
1. Updated vulnerable packages
2. Update webpack config devtool value to false which is equivalent to none of the lower versions
Related work items: #978292, #982650, #986527, #988932
Add support of registering external components to SDK
How does it work?
1. User creates a new embed component extending `Embed` in his project
2. User implements the necessary code in FE to support hosting of the new component and handling events
3. Needed code to embed the new component:
`powerbi.register(componentType, embedComponentFactory, routerEventUrls);`
`powerbi.embed(embedContainer, config);`
powerbi.register:
- `componentType`: string representing the component type in embed configuration interface
- `embedComponentFactory`: function that returns a new instance of the embed component.
- `routerEventUrls`: list of urls to register, must use uniqueId and eventName as keys. something like that: `/componentName/:uniqueId/events/:eventName`
Example of calling powerbi.register for metric-picker component:
```
this.register(
'metric_picker',
(service, element, config, phasedRender, isBootstrap) => new MetricPicker(service, element, config, phasedRender, isBootstrap),
['/metricPicker/:uniqueId/events/:eventName']
);
```
Add QuickCreate.ts to handle quickcreate validations
Add quickCreate in service to handle new quickCreate path
Refactored embed and move create() into each component
sdkType tells us which SDK wrapper performs the actions, e.g: powerbi-client-react, powerbi-client-angular...
To update it we should pass the type in the header 'x-sdk-type` which is populated in the service constructor. Therefore, each wrapper needs to pass the correct sdkType when initiating the service (see example: [Pull Request 274150](https://dev.azure.com/powerbi/Embedded/_git/powerbi-client-react/pullrequest/274150)).
**What is the problem?** if user injects a new powerbi service to the wrapper and doesn't use the default service, the sdkType won't be populated.
As a result, I created new API in the service, so we could update in each wrapper the sdk type after the service is created.
In addition, create new header `x-sdk-wrapper-version`.
For an unknown reason, 2.20.0 was released 2 weeks ago to internal feed although it was not triggered.
This causes the internal feed phase to fail as package already existed.
hosting apps (like TypeScript) that creates a double instance of `service` will cause double registration for eventHooks listener which leads to miss the callback from the iframe.
moving `router.post` from `service` constructor to `report` constructor resolves the issue.
Remove `accessToken` from the config when throwing an exception.
### Notes for reviewers
- Spread operator seems to be [well supported](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_syntax), doesn't work in IE however it was transplied to `__assign` in JS Code
- I can't put it in `utils.ts` because that would create a circular dependency (with `embed.ts` due to type imports).
may-hartov
May Hartov
May Hartov
Ali Abu Foul
Yoav Damri
Andres De La Pena Santana
MerlinBot
VishnuPriya
Or Shemesh
Kotana Sai
Or Shemesh
Andriy Malish
Atharva Bapat
PIE Easy Start
Sheng Liu
Shahak Yosef
Ohad Edry
submarine-launched
