Posted February 10, 20214 yr I'd like to embed a page from the website (namely chatbox) into a google apps script, and then embed the google script onto my site. There are a couple problems I'm running into. 1st in the sites admin cp, when I allow embedding on a specific offsite domain (*.script.google.com) it won't allow me to embed chatbox. However if I select the 3rd radio option "allow embedding in all offsite domains", which is not recommended, it allows it. So that's problem 1. 2nd I'm having trouble getting my site to allow the google script to be embedded on it anywhere at all. I was hoping that embedding the google script in an iframe (the script itself having my site in an iframe within it) would allow that chatbox iframe in the google script to recognize the top hosting domain as my site, and thereby allow it to embed in the google script. But I can't even get the google script to embed to see if that would work, though somehow I doubt it will. Any direction on this would be greatly appreciated :) Desired iframe layout of end product: _____________________________ | MY SITE | | _______________________ | | | GOOGLE SCRIPT | | | | ________________ | | | | | CHATBOX | | | | | | | | | | | |________________| | | | |______________________| | |____________________________| Edited February 10, 20214 yr by Aramaech
February 11, 20214 yr You will need to allow whatever domain chatbox and Google are being served from if you are using a content security policy.
February 12, 20214 yr Author Chatbox is being served from my site, google is being served from google. What do you mean by allow it? Like this?admin cp -> advanced configuration -> Allow community to be embedded in an iframe -> content security policy: default-src *; frame-ancestors 'self' *.google.com That's one setting I tried. For the content security policy I also tried default-src *; frame-ancestors 'self' *.script.google.com
February 12, 20214 yr Is this a self hosted site? If so, what content security policy is your web server sending if any?
February 12, 20214 yr Author I use zFast for hosting, I don't host it myself. I do use SSL through Lets Encrypt, and Cloudflare as a CDN, which also includes its own end to end encryption, so that could also be a factor.
February 12, 20214 yr You'll need to sort out with Cloudflare how to set the correct security policy. Edit: https://support.cloudflare.com/hc/en-us/articles/216537517-Using-Content-Security-Policy-CSP-with-Cloudflare#:~:text=Cloudflare doesn't require changes,locations specified in your CSP. You'll need to make sure the CSP headers are correct for your site. Looks like Cloudflare simply observes whatever your webserver sends. Edited February 12, 20214 yr by Paul E.