Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Embedder error on iPhone browsers
I am using the dropbox embedder on my website. It works as expected except on iPhone devices. I have tried it on two different iPhones using the Safari, Chrome, and Firefox apps and they all have the same result:
When the page loads, there is a message shown asking the user to allow cookies. Tapping the Allow Cookies button seems to reload the embedder, but the message is always shown. I have tried checking the settings of the browser apps, but there is no setting to turn cookies on or off. I also tried deleting cached files and cookies in the browser. This was at one point working on iPhones, but I was just told that it stopped about 1 month ago.
Below is the message that is logged in the console:
www.dropbox.com/log/telemetry:1 POST https://www.dropbox.com/log/telemetry 403 Unrecognized Content-Security-Policy directive 'worker-src'. add_events:1 POST https://www.dropbox.com/2/event_logging/add_events?t=nkgw44qiKE1BDJTFf2rFy53gUP6WMLFqsUeGPH8-oJM 401 add_events:1 POST https://www.dropbox.com/2/event_logging/add_events?t=nkgw44qiKE1BDJTFf2rFy53gUP6WMLFqsUeGPH8-oJM 401 www.dropbox.com/2/client_metrics/record:1 POST https://www.dropbox.com/2/client_metrics/record 401 www.dropbox.com/2/users/get_current_account:1 POST https://www.dropbox.com/2/users/get_current_account 401 www.dropbox.com/2/previews/get_preview_data_batch:1 POST https://www.dropbox.com/2/previews/get_preview_data_batch 401 www.dropbox.com/dropins/log_event:1 POST https://www.dropbox.com/dropins/log_event 403 www.dropbox.com/dropins/log_event:1 POST https://www.dropbox.com/dropins/log_event 403 www.dropbox.com/2/previews/get_preview_data_batch:1 POST https://www.dropbox.com/2/previews/get_preview_data_batch 401 www.dropbox.com/log/telemetry:1 POST https://www.dropbox.com/log/telemetry 403
19 Replies
- Greg-DB
Dropbox Community Moderator
Thanks for the report. For reference, can you let me know:
- Do you have the "Prevent Cross-Site Tracking" setting in Settings.app > Safari enabled?
- Are you placing the Embedder inside an iframe?
- Prevent Cross-Site Tracking was enabled by default. I tried disabling it, clearing the data, and closing safari then trying it again. The result was the same.
- No, I am not using an iframe. Below is my relevant code:
<html>
<head runat="server">
<script type="text/javascript" src="https://www.dropbox.com/static/api/2/dropins.js" id="dropboxjs" data-app-key="myKey"></script> </head> <body> <form runat="server"> <div class="row-container"> <a id="theFrame" class="row" style="height: 100%"></a> </div> </form> </body> </html> <script type="text/javascript"> let urlParams = new URLSearchParams(window.location.search); if (urlParams.has('Link')) { let element = document.getElementById('theFrame'); Dropbox.embed({ link: link }, element); } </script>
- Greg-DB
Thanks for the additional information. I just tried reproducing this with that code, and it only reproduces for me with "Prevent Cross-Site Tracking" enabled (and works fine with it disabled).
Please try this sample I just put up with this code (though I had to add a missing "link" definition): https://zealous-beaver-5f8cdb.netlify.app/?Link=https://www.dropbox.com/s/u0bdwmkjmqld9l2/dbx-supporting-distributed-work.gif?dl=0
Let me know if you see the same behavior with that, where it fails both with and without "Prevent Cross-Site Tracking" enabled.
Thanks for the reply. I disabled "Prevent Cross=Site Tracking" and can confirm that it works in Safari. However, it does not work in the Chrome app, even with Prevent Corss-Site Tracking disabled.
It seems like there should be a better solution than having to tell every user that they need to change their settings and only use Safari?
- Greg-DB
Yes, ideally we'll be able to resolve this on our side, but we just want to make sure we're reproducing exactly the issue you're reporting.
So, to be clear, if I understand your messages correctly, the issue does not appear on my sample site for you when you have "Prevent Cross-Site Tracking" disabled, but does still appear on your site for you even with "Prevent Cross-Site Tracking" disabled. Is that correct? If so, can you share a sample page that reproduces the issue even with "Prevent Cross-Site Tracking" disabled?
(Also, interestingly, the issue does not reproduce for me in Chrome on iOS, with or without "Prevent Cross-Site Tracking" disabled.)
Thanks, I am glad to hear that. I don't think we're on the same page, so let me clarify.
Safari: works with PCST disabled, but not when it is enabled.
Chrome: does not work either way.
This is true for both your site and my internal website.
- Greg-DB
Got it, thanks! This is open with engineering for the case where "Prevent cross-site tracking" affects this. I'll follow up here once I have an update on that.
I still can't reproduce the behavior you're seeing in Chrome though. Can you let me know what version of iOS and Chrome you're seeing that with?
Last week I was using a friend's device, so I'm not sure what versions he had. I just tried it on a different iPhone, and it does not work on that device with Chrome or Safari. This iPhone is using iOS 14.2 and Chrome version 87.0.4280.77
- Greg-DB
Thanks! I was on an older version where it does work in Chrome, for whatever reason. I'll ask the team to look into that variant as well.
Any update on this? We have begun using the Embedder with the following code (keys/link changed) and it gives the cookies message on both iPhone and iPad, but cookies are already enabled, so those users never get to the Dropbox content:
<script type="text/javascript" src="https://www.dropbox.com/static/api/2/dropins.js" id="dropboxjs" data-app-key="xxxxxxxxxxxx"></script>
<a
href="https://www.dropbox.com/sh/xxx/xxx?dl=0"
class="dropbox-embed"
data-height="900px"
data-width="100%"
></a>
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
