CRM Extension API unable to open Iframe in Firefox
SOLVE
I implemented CRM extension API with some iframes and aciton hooks, Everything works fine on chrome, safari and edge but when i try to open iframe on firefox its just a blank screen with no data no console error.
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @Connor_Barley found the root cause its not due to csp or X-Frame-Options, But to some reason firefox its not refreshing the page in iframe header('Refresh:0;) I changed it to header('Location: and it started working.
I am redirecting the page app.proposify.co/proposal/send to app.proposify.co/login.
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @Connor_Barley found the root cause its not due to csp or X-Frame-Options, But to some reason firefox its not refreshing the page in iframe header('Refresh:0;) I changed it to header('Location: and it started working.
I am redirecting the page app.proposify.co/proposal/send to app.proposify.co/login.
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @sunny, I was able to get that warning for my own app to go away when trying your headers. Here's what I used instead, excluding the frame-ancestors header and moving app.hubspot.com to the beginning of your frame-src section:
The headers I used above cleared out the ancestors issue in my own app.
You'll need to do some testing to see what the real root of the issue is. I'd recommend deleting or altering certain sections to see if the iframe loads under those conditions, then slowly add items back in and see if that fixes it.
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hey @sunny, thanks for changing that. Looking like the console has an error: "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive."
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @sunny, when I go to Firefox and open up your CRM Extension by going to Actions > Send, I cannot see any X-Frame-Options header at all. Make sure you include one:
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @sunny, after a lot of testing with the help from our developers, I figured out what the culprit was. It looks like your X-Frame-Options header was set to allow-from https://*.hubspot.com. X frame options headers are only really enforced in Firefox, and they disallow clickjacking attacks, which makes sense why this wasn't working out only in Firefox. Your wildcard header is not valid. If you change this to something like allow-from https://app.hubspot.com or use some sort of Regex filter that can get all subdomains like this: https://stackoverflow.com/questions/17656799/javascript-regex-that-gets-all-subdomains, then that should work, but the way you're currently setting it is not valid.
I created a simple node app and set the headers here like this:
I was able to load the iframe when setting the header to app.hubspot.com but not with *.hubspot.com. Let me know if you have questions!
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @Connor_Barley I tried to set x-frame-options: ALLOW-FROM https://app.hubspot.com or x-frame-options: ALLOW-FROM https://api.hubspot.com
but its still not working
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @sunny, I pushed a simple application to Heroku here: https://obscure-cliffs-47038.herokuapp.com/ and was able to see the same issue when opening up the iframe as the iframe loads in Chrome but not in Firefox. I'm speaking with our developers and will get back to you when we have a better grasp for why this might happen.
It might be something to do with the webpage being sent from the app.proposify domain that HubSpot is blocking. I'll update you when I have more info on this, though. Thank you!
CRM Extension API unable to open Iframe in Firefox
SOLVE
Hi @sunny, this certainly looks like an unexpected error on our end, but I'll need to check with my team.
As an aside, it is a holiday in the US tomorrow and Friday so response times may be a bit slower than normal. I'll likely be able to get back to you by Monday. Thanks!