Skip to main content
Question

Can file preview (iframe method) work in Chrome with "Block third-party cookies" on?

  • May 22, 2025
  • 6 replies
  • 19 views
C
Forum|alt.badge.img

Using the documentation here: https://developer.box.com/reference#get-embed-link, I am obtaining the embed URL, and supplying it as the src for an iframe on a page generated by my server-side code. This works splendidly, except in Google Chrome when "Block third-party cookies" is turned on. It appears that the first request for the embed URL returns a reply with status code 302, a Location header that is the same URL as the one requested, and a number of cookies to be set. The subsequent request for the page is sent with the cookies, except in Chrome with "Block third-party cookies" turned on. In Chrome the cookies are not sent (iframe source's host is not the same as the parent  document's host), and as a result the Box server sends back the same 302 reply, and the cycle repeats. Eventually Chrome gives up, reporting "xyz.app.box.com redirected you too many times.".

 

Am I missing a step? Have others experienced the same and found a work-around?

    6 replies

    C
    Forum|alt.badge.img

    We're experiencing the exact same problem. The only way we've been able to resolve so far is asking customers to disable this setting, which hasn't gone over very well...

    C
    Forum|alt.badge.img

    Hi  and ,

     

    Thanks for posting to our forums! Love to see developers interact on here. 

     

    On a sadder note, the cookie dependency is unfortunately expected behavior for now. We've updated our documentation to reflect that:

    https://developer.box.com/reference#get-embed-link

     

     

    Taking advantage of the Content Preview UI Element has been a good workaround for most people, since it does not rely on iFrames:

    https://developer.box.com/v2.0/docs/box-content-preview

     

    We're working on a more expansive side-by-side comparison of Embed Links and the UI Elements to help developers 1) be aware that the elements exist but also 2) when to use one over the other. Embed links are easier, but have fewer features/customizations available, while the UI Elements take slightly more work to set up but have more options available.

     

    You can see many examples here:

    https://codepen.io/box-platform/pens/public/?grid_type=list

     

    Take a look and hopefully you'll see something in there that works for you. 

    C
    Forum|alt.badge.img

    The one problem here is that when using this with the new API for viewing files, this will expose our access token in both the file source and the network request. Is there a way to instead, create a secure/signed URL via the Box API and pass this to the Content Preview UI show() method?

    C
    Forum|alt.badge.img

    Acutally, just found the downscope token endpoint and that should work for this.

    C
    Forum|alt.badge.img

     Great find! Your concern is valid and is the exact reason we created the ability to downscope tokens 🙂 Happy previewing!

    C
    Forum|alt.badge.img

    We made a recent change and you should no longer need to disable third party cookies for expiring embed to function. Can you please see if things work for you now  ?

    Also, here's a guide for the different ways you can embed Preview onto your site: https://developer.box.com/docs/using-box-preview-in-your-application

    Terms & ConditionsAccessibility statement