Are there any security concerns surrounding Viz?

  • 23 August 2018
  • 8 replies

Userlevel 3

We are interested in looking into leveraging custom visualizations, but are hesitant because it involves injecting javascript into our existing Looker instance that is accessing our company’s data.

For instance, I imagine it’s possible for some bad actor to create some custom visualization javascript that would send off the data that it is formatting to a remote server.

Are there security measures that Looker has put in place to prevent this entirely? Alternatively, can the curated set of custom visualizations offered through Looker be trusted to be free of malware?

8 replies

Userlevel 1

Hi Ryan!

Thanks for your post! When using custom visualizations governed by the “Sandboxed Custom Visualizations” Lab Feature, the viz is loaded in an iframe with the sandbox attribute set to allow-scripts. We also allow you to provide an optional SRI hash when you define your visualization to confirm that the javascript you are loading is, in fact, yours.

Let us know if you have any other questions!


Thanks Lauren. Do you know if the javascript running in the iframe can access html elements outside of the iframe?

Userlevel 1

Hi @tispratik !

The javascript running in the iframe cannot access html elements outside of the iframe. Here is a link that may be helpful in this case:



Thanks for the information Lauren. I have a case wherein i need to access the filters in the dashboard in my custom visualization. Sounds like I wouldn’t be able to access the filers. I wonder if i can change the settings on the iframe in order to enable parent elements access.

It will be nice if i could set the “allow-same-origin” attribute on the iframe as my iframe is being loaded from a different backend.

Userlevel 1

Hi @tispratik! Have you seen the information available in Looker documentation for retrieving data from the iframe? It has an attribute for dashboard.filters that may be what you’re looking for here.

Thanks Peggy. Yes i did look into that, i think it is only for embedded looks/dashboards.

I could verify that this is correct. Thanks!

Userlevel 1

Hi @tispratik! If you are still trying to get this to work, I’d like to suggest that you send us an email to to describe the specific use case and what you’d like to see in the product to enable what you need to do. We can continue the conversation in that email thread, and if there is anything that other customers can benefit from we’ll put a summary of that here.