Aramaech Posted February 10, 2021 Share Posted February 10, 2021 (edited) I'd like to embed a page from the website (namely chatbox) into a google apps script, and then embed the google script onto my site. There are a couple problems I'm running into. 1st in the sites admin cp, when I allow embedding on a specific offsite domain (*.script.google.com) it won't allow me to embed chatbox. However if I select the 3rd radio option "allow embedding in all offsite domains", which is not recommended, it allows it. So that's problem 1. 2nd I'm having trouble getting my site to allow the google script to be embedded on it anywhere at all. I was hoping that embedding the google script in an iframe (the script itself having my site in an iframe within it) would allow that chatbox iframe in the google script to recognize the top hosting domain as my site, and thereby allow it to embed in the google script. But I can't even get the google script to embed to see if that would work, though somehow I doubt it will. Any direction on this would be greatly appreciated :) Desired iframe layout of end product: _____________________________ | MY SITE | | _______________________ | | | GOOGLE SCRIPT | | | | ________________ | | | | | CHATBOX | | | | | | | | | | | |________________| | | | |______________________| | |____________________________| Edited February 10, 2021 by Aramaech Link to comment Share on other sites More sharing options...
bfarber Posted February 11, 2021 Share Posted February 11, 2021 You will need to allow whatever domain chatbox and Google are being served from if you are using a content security policy. Link to comment Share on other sites More sharing options...
Aramaech Posted February 12, 2021 Author Share Posted February 12, 2021 Chatbox is being served from my site, google is being served from google. What do you mean by allow it? Like this?admin cp -> advanced configuration -> Allow community to be embedded in an iframe -> content security policy: default-src *; frame-ancestors 'self' *.google.com That's one setting I tried. For the content security policy I also tried default-src *; frame-ancestors 'self' *.script.google.com Link to comment Share on other sites More sharing options...
CoffeeCake Posted February 12, 2021 Share Posted February 12, 2021 Is this a self hosted site? If so, what content security policy is your web server sending if any? Link to comment Share on other sites More sharing options...
Aramaech Posted February 12, 2021 Author Share Posted February 12, 2021 I use zFast for hosting, I don't host it myself. I do use SSL through Lets Encrypt, and Cloudflare as a CDN, which also includes its own end to end encryption, so that could also be a factor. Link to comment Share on other sites More sharing options...
CoffeeCake Posted February 12, 2021 Share Posted February 12, 2021 (edited) You'll need to sort out with Cloudflare how to set the correct security policy. Edit: https://support.cloudflare.com/hc/en-us/articles/216537517-Using-Content-Security-Policy-CSP-with-Cloudflare#:~:text=Cloudflare doesn't require changes,locations specified in your CSP. You'll need to make sure the CSP headers are correct for your site. Looks like Cloudflare simply observes whatever your webserver sends. Edited February 12, 2021 by Paul E. Link to comment Share on other sites More sharing options...
Recommended Posts