Embedding a Q&A in an iframe on a https page

I have created a link to a Q&A and clicked “Allow to show in an iframe”.

When I include the iframe on a page served over https then the browser gives an error:

Mixed Content: The page was loaded over HTTPS, but requested an insecure frame ‘Clause9’. This request has been blocked; the content must be served over HTTPS.

The magic link that was created was a https url, however when I request the url via curl I can see that the https redirects to a http url:

* Request completely sent off
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, must-revalidate
< content-type: application/octet-stream
< date: Tue, 25 Mar 2025 12:00:32 GMT
< location: http://sandbox.clausebase.com/app/qna

I think it is this httpshttp redirect that is preventing the iframe from being embedded.
If I embed the iframe in a page that is served over http then the embedded iframe loads and works as expected.

That’s odd.

My initial hunch was that it was perhaps related to the fact that you’re using the Sandbox, but when I did a quick test, everything seemed to work.

Do I understand correctly that you’re trying to directly refer to /app/qna ? Because that will not work; instead, you need to generate an URL at /ml/... using the /document_login_url endpoint of the REST API.

For security reasons, I’ll send you a small sample file over email to test whether some sample URL is working.

Maarten

Thanks Maarten.

I can confirm I’m using the URL returned by the /document_login_url as the src of the iframe.

I can replicate the issue with the html file you sent via email. Eg.

Serve the html file over http:

python -m http.server 8300

Visiting http://localhost:8300/test.html works as expected.

(I can’t include the screenshot as it only lets me include 1 media item)

Serving the file over https, in my case I opened a Tailscale funnel to port 8300:

tailscale funnel 8300
Available on the internet:

https://xxxxx.tail36379.ts.net/
|-- proxy http://127.0.0.1:8300

Visiting the page:

I believe this is because of the redirect that happens to http when using a URL that is returned from /document_login_url:

curl -v https://<url from document_login_url>

....
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< cache-control: no-cache, must-revalidate
< content-type: application/octet-stream
< date: Wed, 26 Mar 2025 10:00:34 GMT
< location: http://sandbox.clausebase.com/app/qna

Apologies, you were completely right: at some point an HTTP request intervened. This is now corrected.

1 Like