Phoenix LiveView in an iframe

:wave:

The idea is to embed a LiveView page in an iframe on a website with different origin.


Has anyone had success running Phoenix LiveView in iframe from different domain? I’m getting LiveView session was misconfigured or the user token is outdated. warning and 403 error response on web socket connect (the server-rendered html gets returned fine) even though csrf_meta_tag/0 is set, most likely since Connect Info: %{session: nil} where session is not a map. The “iframed” page’s headers are:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-XSS-Protection: 1; mode=block
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Date: Tue, 24 Mar 2020 18:19:09 GMT
Content-Length: 2905
X-Content-Type-Options: nosniff
Vary: x-requested-with
Server: Cowboy
x-download-options: noopen
x-permitted-cross-domain-policies: none
cross-origin-window-policy: deny
x-request-id: Ff9QXBtfVX-isuEAAOMB

I’m dropping x-frame-options: sameorigin header before sending the response, I’ll go read about the other headers, will also try removing them.

Removed all security headers, the iframed page responds with

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Mar 2020 18:24:11 GMT
Content-Length: 2905
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Vary: x-requested-with
Server: Cowboy
x-request-id: Ff9QojhbQpcCa6kAAQDh

The 403 error persists.

Ok, I removed the connect_info options, and now it seems to work

  socket "/live", Phoenix.LiveView.Socket
-   websocket: [
-     connect_info: [session: @session_options]
-   ]

It’s probably ok for this page, since it doesn’t do any auth.