Hi Maarten,
After the changes which fixed the https
→ http
problem I’m still unable to get the embedded iframes working correctly. The issue is somewhat obscured by me observing different behaviour in different browsers which I don’t fully understand the root cause of at the moment.
I am using the UI to create a link to a Q&A, making sure “Allow to show in a iframe” is ticked, and I use this as the src of an iframe. These links have the form https://sandbox.clausebase.com/ml/___________
.
If you use curl to make a request to one of these links you will see:
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, must-revalidate
< content-type: application/octet-stream
< date: Wed, 02 Apr 2025 13:07:42 GMT
< location: https://sandbox.clausebase.com/app/qna
< set-cookie: <redacted>
< strict-transport-security: max-age=31536000; includeSubDomains
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 0; mode=block
< content-length: 0
<
* Connection #0 to host sandbox.clausebase.com left intact
Notice that the response has the header x-frame-options: SAMEORIGIN
. I think this is incorrect and is the issue that is preventing the iframe content from displaying.
You sent me a test html file via email that contains an iframe with the src set to one of these https://sandbox.clausebase.com/ml/___________
urls.
The bit I don’t understand is that if I open this html file in Chrome then it works, I can see the content from the embedded iframe.
However, if I open the html file in Safari then the embedded content doesn’t load and I see the following in the JS console:
Refused to display 'https://sandbox.clausebase.com/app/qna' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Moving away from the example html file that you sent. If I try and embed a Q&A in an iframe in my web application and load it in Chrome then I also see the error:
Refused to display 'https://sandbox.clausebase.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
So I’m unsure why Chrome is happy to load the iframe in the example html file that you sent, but not in my application. I was exploring whether there were some content security policies coming into play, but I haven’t been able to get to the bottom of it.
Regardless, I am pretty confident that the https://sandbox.clausebase.com/ml/___________
urls should not be returning the header x-frame-options: SAMEORIGIN
and the issue of the iframe content refusing to display is always present in Safari, even in the example html file that you provided.