Can file preview (iframe method) work in Chrome with "Block third-party cookies" on?

Follow

New post

GregShu

• December 04, 2017 18:56

Using the documentation here: https://developer.box.com/reference#get-embed-link, I am obtaining the embed URL, and supplying it as the src for an iframe on a page generated by my server-side code. This works splendidly, except in Google Chrome when "Block third-party cookies" is turned on. It appears that the first request for the embed URL returns a reply with status code 302, a Location header that is the same URL as the one requested, and a number of cookies to be set. The subsequent request for the page is sent with the cookies, except in Chrome with "Block third-party cookies" turned on. In Chrome the cookies are not sent (iframe source's host is not the same as the parent  document's host), and as a result the Box server sends back the same 302 reply, and the cycle repeats. Eventually Chrome gives up, reporting "xyz.app.box.com redirected you too many times.".

 

Am I missing a step? Have others experienced the same and found a work-around?

0

• 

  MurphGH

  • December 18, 2017 14:12

  We're experiencing the exact same problem. The only way we've been able to resolve so far is asking customers to disable this setting, which hasn't gone over very well...

  0

  Comment actions Permalink
• 

  Jason

  • December 21, 2017 15:27

  Hi  and ,

   

  Thanks for posting to our forums! Love to see developers interact on here. 

   

  On a sadder note, the cookie dependency is unfortunately expected behavior for now. We've updated our documentation to reflect that:

  https://developer.box.com/reference#get-embed-link

   

   

  Taking advantage of the Content Preview UI Element has been a good workaround for most people, since it does not rely on iFrames:

  https://developer.box.com/v2.0/docs/box-content-preview

   

  We're working on a more expansive side-by-side comparison of Embed Links and the UI Elements to help developers 1) be aware that the elements exist but also 2) when to use one over the other. Embed links are easier, but have fewer features/customizations available, while the UI Elements take slightly more work to set up but have more options available.

   

  You can see many examples here:

  https://codepen.io/box-platform/pens/public/?grid_type=list

   

  Take a look and hopefully you'll see something in there that works for you. 

  0

  Comment actions Permalink
• 

  chip-honey

  • January 09, 2018 10:00

  The one problem here is that when using this with the new API for viewing files, this will expose our access token in both the file source and the network request. Is there a way to instead, create a secure/signed URL via the Box API and pass this to the Content Preview UI show() method?

  0

  Comment actions Permalink
• 

  chip-honey

  • January 09, 2018 11:00

  Acutally, just found the downscope token endpoint and that should work for this.

  0

  Comment actions Permalink
• 

  Jason

  • January 11, 2018 13:55

   Great find! Your concern is valid and is the exact reason we created the ability to downscope tokens 🙂 Happy previewing!

  0

  Comment actions Permalink
• 

  tonyjin

  • January 19, 2018 15:43

  We made a recent change and you should no longer need to disable third party cookies for expiring embed to function. Can you please see if things work for you now  ?
  
  Also, here's a guide for the different ways you can embed Preview onto your site: https://developer.box.com/docs/using-box-preview-in-your-application

  0

  Comment actions Permalink

Please sign in to leave a comment.