Does anyone have experience with embedding a bubble.io webpage into a customers siteusimg iframes? I want to restrict the page to only be accessible at the customers website and not any other websites. I tried setting the Content-security-policy tag using frame-ancestors tag to allow only certain websites to access the page but Bubble doesn’t let me do that using JavaScript or HTML. Is there a workaround for this?
1 Like
With bubble you can set an option to allow/prevent iframe embedding of your app. Bubble will add/remove the corresponding headers in your page, but it’s all or none. You can’t specify a page and you can’t specify an allowed domain.
If you want more flexibility you need to have a proxy server in the middle to dynamically add/remove the headers.
It is doable, there are plenty of ways to do it. I usually set this up with cloudflare workers. You do need to proxy every subsequent request and make some adjustements specific to bubble.
1 Like
That’s great. I almost gave up thinking there is no solution to this. I’m not a technical guy. Can you please elaborate how do you add proxy servers in the middle to add/remove headers…I don’t think Bubble let’s you change/customize a lot on the server side of things
You need an external server and code to do it. There are many things you can use, maybe also managed services.
Because there are some bubble specific things to handle I prefer to do it with code with cloudflare workers, as I am used to javascript and the way their service works.
To see what header you need to handle you can start from here
1 Like
Got it. That makes sense. Thanks for explaining. So just to confirm how this would work. I send the bubble web apps url that I want embedded into a different customers website to a proxy server like cloudflare? (Is there any documentation or resource how to do this). At the proxy server, I make changes to the header so that it includes the “Content-security-policy” tag with the appropriate values.
This topic was automatically closed after 70 days. New replies are no longer allowed.