Webview stopped showing some webcontent on mobile this morning

swinmoutlet.com blocks embedding via their server security policy. This is the error I see in the console:

I don’t know what else to say… Many websites do not allow themselves to be embedded for security reasons (so other people cannot impersonate their website and steal their users’ information).

1 Like

It would great if Glide could detect the error/blank page and force it to open outside the app in the user’s browser. This way, if a site works today, but not tomorrow, the app still functions without any intervention by a developer, and very little impact to users.


@david I’m working with the site admin to get permission to do this. What exactly do I ask him to change to allow this to work? Don’t know the technical request to give him. Thank you.


Agree, it’s predominantly security issues with external sites that causes the issue, not glide.

Just because a link previously worked in glide does not mean that it will 100% work all the time that’s not a flaw of glide it’s just the way of the world.

Glide cannot control external factors so this always needs to be considered as a ‘risk’ when designing apps and the dependability on 3rd party sites.

I’m sure this subject will continue to come up time and time again.



@glide_user this is a very low-level server feature, likely controlled by the platform the site is built on.

Webflow, for example, blocks embedding of any site built on Webflow. I believe you can turn off ‘Secure Frame Headers’ on their paid plan.

Better yet, some of these platforms let you specify which domains are allowed to embed your site.

1 Like

Same-Origin Policy (SOP) restricts how a document or script loaded from one origin can interact with a resource from another origin. For example, when Site X tries to fetch content from Site Y in a frame, by default, Site Y’s pages are not accessible due to security reasons, it would be a huge security flaw if you could do it.

How to solve?

The window.postMessage() method provides a controlled mechanism to securely circumvent this restriction. The window.postMessage() safely enables cross-origin communication between Window objects; e.g: between a page and an iframe embedded within it.

const frame = document.getElementById('your-frame-id');
frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.com');

The window.postMessage is available to JavaScript running in chrome code (e.g., in extensions and privileged code), but the source property of the dispatched event is always null as a security restriction. (The other properties have their expected values.)

Closing due to inactivity. This topic will be deleted in a few weeks if there are no more comments.