Re: Security issue with URLs in embedded Airtable in Chrome and Safari

Mike_Reed · ‎Apr 26, 2020

I have an embedded an Airtable in a website with URLs that point to https locations that have pdf downloads. When the link is clicked the “https” is stripped off the url (although it is still in the Favicon on the browser tab) and the pdf will not open due to a security issue. Even dropping all security blocks will not allow the page to open. Not a problem with Edge or with Chrome or safari on iPhone. Only with Chrome on PC and Safari on Mac. The link will open if it is in the website outside of the airtable.

Update: Incognito doesn’t work; holding Ctrl (PC) or Cmd (Mac) will open the link in a new tab but stay on the main website. But it works!.

For developers: “target _top” works but “target _blank” or “target _parent” are loading but not displaying.

From the identically described issue stackoverflow.com this was suggested but didn’t work. It killed the table completely when we pasted in the iframe code:
I found something! I know your question was 2 years ago, but if you use the sandbox “allow-popups-to-escape-sandbox” in your iframe, this will work.

Mike_Reed · ‎Apr 26, 2020

Thanks Bill. We’ve tried incognito mode and all sorts of other security and cookie settings, but not helping

Bill_French · ‎Apr 26, 2020

Have you tried accessing this content from a completely different network connection? Same result?

Mike_Reed · ‎Apr 26, 2020

Yes, we’re seeing it from 3 different states in the US. I’m editing the post as we learn more.

Bill_French · ‎Apr 26, 2020

[quote=“Mike_Reed, post:1, topic:29363”]
holding Ctrl (PC) or Cmd (Mac) will open the link in a new tab but stay on the main website. But it works.

This is further indication that the cache pragma is blocking your access. If you force a cache clear in the request, the content comes through, right? Anything less, and the client is inclined to adhere to the website’s caching rules.

So, this could be a combination of two issues -

The website is configured to inform clients that if they have the latest content, use it.
The browsers are configured to abide by any server suggestions concerning cached content.

Mike_Reed · ‎Apr 26, 2020

OK, we’re looking at that now.

Bill_French · ‎Apr 26, 2020

And there’s a third possible issue here that we cannot easily rule out - malware. HTTP 304 errors are notorious indicators of URL hijacking and it is very uncommon to actually see them in browsers. I would take a deep read of some articles like this.

BUT: The 304 Not modified HTTP error may sometimes be triggered by malware or some problems with DNS server,[2] web browser’s cache or incompatible web browser’s plug-ins.

Mike_Reed · ‎Apr 26, 2020

So it turns out the issue we are facing is related to the custom code section that godaddy sets up in their Web Designer tool. They creating a way to introduce HTML but it is set with a sandbox attribute and values of: sandbox=“allow-scripts allow-same-origin allow-forms allow-popups allow-presentation allow-top-navigation”. This is breaking our links opening in a new tab (target=_blank) as they cannot escape the sandbox and make them show as blank. And we couldn’t find a way to hack around this.

So will be speaking to godaddy developers tomorrow. I’ll let you know when resolved, but not an airtable issue per se.

Thanks for all of your help.

Micheal_Seven · ‎Jul 30, 2020

click on several of the https:// links, and the PDF files will open up immediately
Tested with this url https://www.wpfaqhub.com/how-to

Bill_French · ‎Sep 01, 2020

This is why we need a thumbs down button.

NewlabSteve · ‎Feb 13, 2024

Having this same problem when publishing with Obsidian to our company website. Files are blocked in the airtable. Try clicking on any of the attached files in our SDS database: https://publish.obsidian.md/newlabprototyping/Detroit/Resources/2.+Safety+Data+Sheets
Same result from multiple locations in different browsers. Appears to not be an issue in Firefox, but chrome, edge, opera and safari all block the content.