Tableau Site Settings for Embedding


To provide more control and security in embedding scenarios that are not configured as connected apps, Tableau 2022.2 provides new settings for Tableau site administrators that control embedding views from the site.


In this section


About Tableau site settings for embedding

Starting with Tableau 2022.2, Tableau site administrators can control whether views from the Tableau instance are allowed to be embedded without restriction, or whether only those websites that are explicitly added to an allowlist can embed views. These settings apply to all embedded views except those that use Tableau connected apps for authentication using direct trust.

Starting with Tableau 2023.2 and Tableau 2023.31, these settings also apply to embedded views if your web application uses a Tableau connected app for authentication using OAuth 2.0 trust.

If your web application uses a Tableau connected app for authentication with direct trust, you do not need to add your web application to the embedding allowlist on your Tableau site. The domain allowlist of connected apps with direct trust supersedes the Tableau site allowlist for embedding and can be configured using the steps for connected apps in Tableau Cloud or Tableau Server. That is, the site settings for embedding views do not affect connected apps with direct trust. See the Tableau Site settings for embedding and connected apps.

For compatibility with current embedding solutions, the default Tableau site setting allows unrestricted embedding of views from the site. If you want to control the Tableau views that can be embedded, you can change this setting so that no websites are allowed to embed views, or only websites that you specify can embed Tableau views.

In Tableau 2022.2, Tableau site administrators can use the Tableau REST API (version 3.16 and later) to change the default settings.

URI <server>/api/<api-version>/sites/<site-id>/settings/embedding
Parameters Description
unrestrictedEmbedding (Boolean) Controls whether the site allows unrestricted embedding. The default setting is true, and embedding is allowed.
allowList (string) A space-delimited list of websites where embedding views is allowed.

By default, the unrestrictedEmbedding value is set to true, enabling all websites to embed Tableau views, and the allowList value is an empty ("") string. If unrestrictedEmbedding is set to false, only sites that appear on the allowList are able to embed views. Web applications that use Tableau connected apps with direct trust for authentication are not affected by the embedding site settings. See the Tableau Site settings for embedding and connected apps for more information.

View site settings for embedding

  1. To view the settings, login to Tableau using the Tableau REST API. See Sign In.

  2. Using the token returned by signing in and the site id, you can query the site for the embedding settings, see Get Embedding Settings for a Site.

The following shows the results of such a query. These settings show the default configuration that allows unrestricted embedding.

{
    "site": {
        "settings": [
            {
                "allowList": "",
                "unrestrictedEmbedding": true
            }
        ],
        "id": "abcd1234-ab12-ab12-ab12-abcd1234abcd"
    }
}

Restrict embedding to websites on the allowlist

To restrict embedding so that only the web site that you specify are allowed to embed views from this Tableau site, you need to set unrestrictedEmbedding to false. You then specify the websites you want to allow in the allowList. The allowList is a space-delimited list of sites. You can use wildcards and port numbers, following the Content Security Policy standard outlined for sources.

  1. To update the settings, login to Tableau using the Tableau REST API. See Sign In.

  2. Using the credentials token returned by signing in and the site id, update the site for the embedding settings, by sending a request packet with the updated settings. See Update Embedding Settings for a site.

For example, the following request packet restricts embedding views to just three websites, including a local computer used for testing.

{
    "site": {
        "settings": [
            {
                "allowList": "https://*.example.com https://mycompany.com http://localhost:8765",
                "unrestrictedEmbedding": false
            }
        ],
        "id": "abcd1234-ab12-ab12-ab12-abcd1234abcd"
    }
}


Cross-domain security

To ensure security in embedding scenarios, and to prevent cross-site scripting attacks, the website or web application that hosts the embedded view must not tamper with the Content Security Policy (CSP) headers at any point. Tampering with these headers in other places in the system could allow an attacker to retrieve information from the Tableau view. For more information, see Content Security Policy.


The Tableau site settings for embedding and connected apps

When you embed a view that has been configured to use a Tableau connected app for authentication, the domain allowlist of the connected app is not affected by the Tableau site settings for embedding when the connected app with direct trust is used.

The following table illustrates the behavior when a view is embedded with a JSON Web Token (JWT) of the connected app with direct trust. For information about using a connected app for authentication for your embedding scenario, see Authentication and Embedded Views.

In this example, the connected app domain allowlist only allows embedding inside domain xyz.com.

Tableau site settings for embedding Embedding (using the connected app with direct trust) Embedding
unrestrictedEmbedding: true Only allowed inside domain xyz.com Embedding allowed all domains
unrestrictedEmbedding: false, allowList: "abc.com" Only allowed inside domain xyz.com Only allowed inside domain abc.com
unrestrictedEmbedding: false, allowList: "" Only allowed inside domain xyz.com Embedding completely restricted

For more information

  1. Tableau 2023.2 release is Tableau Cloud only. Tableau 2023.3 release includes Tableau Server.