Support Forums

Allowing a password-protected site to be embedded within an iframe

Hey folks, I’ve enabled site-wide password protection on a site (we’re on Pro plan.)

Everything works as expected until I embed the site within an iframe in our CMS (Sanity) for live preview.

After entering the password (which I’ve made sure to be the correct one), the iframe just reset itself. In the console log, we get a 401 error message for the iframe src.

If I access the site directly, no issues.

I figured it could had been a CSP issue, so I added the following headers to the Netlify site, and confirmed that it worked in the Network tab:

content-security-policy: frame-ancestors 'self' https://[project name].sanity.studio;

But still no dice. Here’s my request id:

x-nf-request-id: 01FHDMT54N4CAY43QFD4VQ4CVM

Any help is much appreciated. Thank you in advance!

Edit: Some more clue:

It turned out the error is caused not by embedding iframe, but because the cookie was never set:

x-nf-request-id: 01FHDMT4KYCQPBN1FN170K2HKW
set-cookie: [...]
This Set-Cookie have to have been set with "SameSite=None" to enable cross-site usage.

Is there a way for me to manually set SameSite=None when using this feature? any help is much appreciated!

I would not recommend doing this, but I suppose you could try copying the cookie being set when you access the site directly.

I don’t think this would work since the cookie would be checked for the domain, but that’s the last option.

Other than that, I think you might have to remove the password.