Redash

Redash embeds look simple: drop an <iframe> on the page and move on. Then CSP gets involved and suddenly the dashboard is blank, the browser console is yelling, and somebody suggests adding * everywhere. Don’t do that. When Redash embeds fail under CSP, the root cause is usually boring: the wrong directive, the wrong origin, or a policy applied on the wrong side of the iframe boundary. I’ve seen teams lose hours because they changed the parent page policy when the real blocker lived on the Redash server, or vice versa. ...