Embedding a Q&A in an iframe on a https page

James · March 25, 2025, 12:07pm

I have created a link to a Q&A and clicked “Allow to show in an iframe”.

When I include the iframe on a page served over https then the browser gives an error:

Mixed Content: The page was loaded over HTTPS, but requested an insecure frame ‘Clause9’. This request has been blocked; the content must be served over HTTPS.

The magic link that was created was a https url, however when I request the url via curl I can see that the https redirects to a http url:

* Request completely sent off
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, must-revalidate
< content-type: application/octet-stream
< date: Tue, 25 Mar 2025 12:00:32 GMT
< location: http://sandbox.clausebase.com/app/qna

I think it is this https → http redirect that is preventing the iframe from being embedded.
If I embed the iframe in a page that is served over http then the embedded iframe loads and works as expected.

mtruyens · March 25, 2025, 10:28pm

That’s odd.

My initial hunch was that it was perhaps related to the fact that you’re using the Sandbox, but when I did a quick test, everything seemed to work.

Do I understand correctly that you’re trying to directly refer to /app/qna ? Because that will not work; instead, you need to generate an URL at /ml/... using the /document_login_url endpoint of the REST API.

For security reasons, I’ll send you a small sample file over email to test whether some sample URL is working.

Maarten

James · March 26, 2025, 10:03am

Thanks Maarten.

I can confirm I’m using the URL returned by the /document_login_url as the src of the iframe.

I can replicate the issue with the html file you sent via email. Eg.

Serve the html file over http:

python -m http.server 8300

Visiting http://localhost:8300/test.html works as expected.

(I can’t include the screenshot as it only lets me include 1 media item)

Serving the file over https, in my case I opened a Tailscale funnel to port 8300:

tailscale funnel 8300
Available on the internet:

https://xxxxx.tail36379.ts.net/
|-- proxy http://127.0.0.1:8300

Visiting the page:

I believe this is because of the redirect that happens to http when using a URL that is returned from /document_login_url:

curl -v https://<url from document_login_url>

....
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, must-revalidate
< content-type: application/octet-stream
< date: Wed, 26 Mar 2025 10:00:34 GMT
< location: http://sandbox.clausebase.com/app/qna

mtruyens · March 27, 2025, 7:59am

Apologies, you were completely right: at some point an HTTP request intervened. This is now corrected.