Webview stopped showing some webcontent on mobile this morning

swinmoutlet.com blocks embedding via their server security policy. This is the error I see in the console:

I don’t know what else to say… Many websites do not allow themselves to be embedded for security reasons (so other people cannot impersonate their website and steal their users’ information).

1 Like

It would great if Glide could detect the error/blank page and force it to open outside the app in the user’s browser. This way, if a site works today, but not tomorrow, the app still functions without any intervention by a developer, and very little impact to users.

4 Likes

@david I’m working with the site admin to get permission to do this. What exactly do I ask him to change to allow this to work? Don’t know the technical request to give him. Thank you.

@ThinhDinh

Agree, it’s predominantly security issues with external sites that causes the issue, not glide.

Just because a link previously worked in glide does not mean that it will 100% work all the time that’s not a flaw of glide it’s just the way of the world.

Glide cannot control external factors so this always needs to be considered as a ‘risk’ when designing apps and the dependability on 3rd party sites.

I’m sure this subject will continue to come up time and time again.

:wink:

2 Likes

@glide_user this is a very low-level server feature, likely controlled by the platform the site is built on.

Webflow, for example, blocks embedding of any site built on Webflow. I believe you can turn off ‘Secure Frame Headers’ on their paid plan.

Better yet, some of these platforms let you specify which domains are allowed to embed your site.

1 Like

Same-Origin Policy (SOP) restricts how a document or script loaded from one origin can interact with a resource from another origin. For example, when Site X tries to fetch content from Site Y in a frame, by default, Site Y’s pages are not accessible due to security reasons, it would be a huge security flaw if you could do it.

How to solve?

The window.postMessage() method provides a controlled mechanism to securely circumvent this restriction. The window.postMessage() safely enables cross-origin communication between Window objects; e.g: between a page and an iframe embedded within it.

const frame = document.getElementById('your-frame-id');
frame.contentWindow.postMessage(/*any variable or object here*/, 'http://your-second-site.com');

The window.postMessage is available to JavaScript running in chrome code (e.g., in extensions and privileged code), but the source property of the dispatched event is always null as a security restriction. (The other properties have their expected values.)

Closing due to inactivity. This topic will be deleted in a few weeks if there are no more comments.