Signed Embedding - Export request going directly to site URL instead of host specified in embed URL


We have a portal which embeds Metabase reports using Signed Embedding.
To facilitate this our Metabase instance is set up behind an NGINX proxy which re-routes any requests from the proxy to the Metabase site URL. This works well and allows the associated css and js files to flow through the proxy.

However when trying to export a question we get the following error which seems to indicate that the export request is going direct to the Metabase site URL instead of the host of the embed URL (which points to our proxy).

Refused to connect to '' because it violates the following Content Security Policy directive: "connect-src 'self'".

Whereas the embed request for the actual report itself uses the proxy as the host:

Is it possible to have the export requests route through the host specified in the embed URL itself so we are able to route all traffic through our proxy?


Why don't you rewrite the links via the nginx sub_filter module?

The export links aren't going through my NGINX proxy, they're going directly to our Metabase site. We're hosting the site on an internal DNS which points to an internal IP so it isn't accessible to anything outside of our production network.

If you change the site url in settings -> general the links should change

1 Like

I noticed that setting, but we preferably don't want email sign-up links to have to go through our proxy as a result of changing this link. This seems like the only way though on our license. Thanks man