Security issue with URLs in embedded Airtable in Chrome and Safari

I have an embedded an Airtable in a website with URLs that point to https locations that have pdf downloads. When the link is clicked the “https” is stripped off the url (although it is still in the Favicon on the browser tab) and the pdf will not open due to a security issue. Even dropping all security blocks will not allow the page to open. Not a problem with Edge or with Chrome or safari on iPhone. Only with Chrome on PC and Safari on Mac. The link will open if it is in the website outside of the airtable.

Update: Incognito doesn’t work; holding Ctrl (PC) or Cmd (Mac) will open the link in a new tab but stay on the main website. But it works!.

For developers: “target _top” works but “target _blank” or “target _parent” are loading but not displaying.

From the identically described issue stackoverflow.com this was suggested but didn’t work. It killed the table completely when we pasted in the iframe code:
I found something! I know your question was 2 years ago, but if you use the sandbox “allow-popups-to-escape-sandbox” in your iframe, this will work.

Can you give an example of where this problem is happening?

I’ve got an Airtable database embedded in a website, and the URL fields are all PDF files starting with https:// and they are all loading just fine in Safari on Mac.

https://adveritasdx.com/test-database
Go to the last two columns. The “URL” column is fine, but just goes to a normal website.

Your database worked just fine for me. I clicked on several of the https:// links, and the PDF files opened up immediately in a new Safari tab — with the full https:// URL intact.

Here’s a video showing this in action in Safari for Mac:

Thank you, that is so weird. There’s 4 of us in our group and all having the same problem.

If we click on a link in the developer tools code it opens, so there’s something weird in the code that’s blocking. I’ll let you know when we figure it out but thanks for the frustrating video LOL!!

It’s giving us a 304 error, but not sure why…yet.

Yep - I suspect it’s because your browser settings are slightly biased toward cached resources.

The HTTP 304 Not Modified client redirection response code indicates that there is no need to retransmit the requested resources. It is an implicit redirection to a cached resource.

I think your browser is configured such that if it encounters a page that has not changed, pull if from cache where the most recent [changed] version of the content was preserved.

1 Like

Lol! Not sure what’s going on. Maybe your IT Department added some strange security configuration to your Mac or Safari. You might try creating a brand new user account on your Mac (in your Mac’s System Preferences), and then log out and log in again as your new user. Then, see if it happens with your new user account. (I’m referring to Mac user accounts, not Airtable user accounts.) That would rule out any user-specific settings on your Mac that might be affecting Safari.

I’m actually primarily on a PC with Chrome. And it’s a personal computer so no IT department (or an incompetent one - me). Anyway, I’m online with a developer so hopefully we’ll get there.

Thanks Bill. We’ve tried incognito mode and all sorts of other security and cookie settings, but not helping

Have you tried accessing this content from a completely different network connection? Same result?

Yes, we’re seeing it from 3 different states in the US. I’m editing the post as we learn more.

[quote=“Mike_Reed, post:1, topic:29363”]
holding Ctrl (PC) or Cmd (Mac) will open the link in a new tab but stay on the main website. But it works.

This is further indication that the cache pragma is blocking your access. If you force a cache clear in the request, the content comes through, right? Anything less, and the client is inclined to adhere to the website’s caching rules.

So, this could be a combination of two issues -

  1. The website is configured to inform clients that if they have the latest content, use it.
  2. The browsers are configured to abide by any server suggestions concerning cached content.

OK, we’re looking at that now.

And there’s a third possible issue here that we cannot easily rule out - malware. HTTP 304 errors are notorious indicators of URL hijacking and it is very uncommon to actually see them in browsers. I would take a deep read of some articles like this.

BUT: The 304 Not modified HTTP error may sometimes be triggered by malware or some problems with DNS server,[2] web browser’s cache or incompatible web browser’s plug-ins.

So it turns out the issue we are facing is related to the custom code section that godaddy sets up in their Web Designer tool. They creating a way to introduce HTML but it is set with a sandbox attribute and values of: sandbox=“allow-scripts allow-same-origin allow-forms allow-popups allow-presentation allow-top-navigation”. This is breaking our links opening in a new tab (target=_blank) as they cannot escape the sandbox and make them show as blank. And we couldn’t find a way to hack around this.

So will be speaking to godaddy developers tomorrow. I’ll let you know when resolved, but not an airtable issue per se.

Thanks for all of your help.

click on several of the https:// links, and the PDF files will open up immediately
Tested with this url https://www.wpfaqhub.com/how-to

This is why we need a thumbs down button.