Form iframe embed not displaying seemingly due to x-frame-options = SAMEORIGIN

  1. I am seeking to embed an airtable form into a webpage. On the embed view, if I turn on autosize height, there is a javascript. When this switch is turned off, the embed is just a simple iframe.

  2. On the page webpage where I’m attempting to embed the airtable form, I can embed other pages using iframe. Therefore, I know iframe will properly display content.

  3. The embed code supplied by airtable shows nothing. The page is blank.

  4. When I use an iframe checker it reports: Header X-Frame-Options found. The header is set to SAMEORIGIN. You are on a different domain and therefore this page can NOT be included.. If I understand X-Frame properly, this indicates that an iframe embed can only be made from the airtable domain. The full header reported is as follows:

HTTP/1.1 200 OK
cache-control: no-store, no-cache, must-revalidate
Cache-control: no-cache="set-cookie"
Content-Length: 25963
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Sep 2020 18:16:23 GMT
ETag: W/"656b-ovIs+MpQkjuLC/LYHXdHBhR4Mng"
expires: Sat Sep 26 2020 18:16:23 GMT+0000 (Coordinated Universal Time)
Referrer-Policy: same-origin
Server: Tengine
Set-Cookie: brw=brwqQ4ESHxn9zmze1; path=/; expires=Sun, 26 Sep 2021 18:16:23 GMT;; samesite=none; secure; httponly
Set-Cookie: __Host-airtable-session=eyJzZXNzaW9uSWQiOiJzZXNvSWEyVFQyanR6eVR6TiIsImNzcmZTZWNyZXQiOiJsTkdwajhjNldHa1Y1UmtGVkJLcWducnIifQ==; path=/; expires=Sun, 26 Sep 2021 18:16:23 GMT; samesite=none; secure; httponly
Set-Cookie: __Host-airtable-session.sig=Ur7fWF9qbaT6HtI_5ink_QvuzVdJ30ObNDcadFC3krk; path=/; expires=Sun, 26 Sep 2021 18:16:23 GMT; samesite=none; secure; httponly
Set-Cookie: AWSELB=F5E9CFCB0C87D62DB5D03914FDC2A2D2D45FBECE920772BD99A4627C52C73ED7F0469123D30BC1262B9940A7DF1D234855648842F307C869CCADBA86810CE186F5BC49125C;PATH=/
Set-Cookie: AWSELBCORS=F5E9CFCB0C87D62DB5D03914FDC2A2D2D45FBECE920772BD99A4627C52C73ED7F0469123D30BC1262B9940A7DF1D234855648842F307C869CCADBA86810CE186F5BC49125C;PATH=/;SECURE;SAMESITE=None
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Connection: keep-alive 

Note both Referrer-Policy: same-origin and X-Frame-Options: SAMEORIGIN. I’m assuming the latter is the issue.

How are people embedding pages if the X-Frame-Options are set to SAMEORIGIN? Any guidance would be much appreciated.

1 Like

This topic was solved and automatically closed 15 days after the last reply. New replies are no longer allowed.