Restricting webform to authenticated users causes X-Frame-Options issue in iframe embed

Created on 6 October 2023, about 1 year ago
Updated 9 October 2023, about 1 year ago

Problem/Motivation

Webform sharing works great when the form is open to anonymous users. However, when it is restricted to authenticated users only, the iframe embed can't render the form, resulted from an error related to X-Frame-Options. The expected behaviour is that a login form should appear in the iframe and logging in should then render the embedded form.

Steps to reproduce

  1. Create a simple webform and enable sharing
  2. Go to Webform -> Settings -> Access -> Create Submissions. Untick the Anonymous Users option and save configs.
  3. Try embedding this form on another site using fixed/responsive iframe method.

This should result in the issues discussed above.

Proposed resolution

Upon inspection of the code for the Webform Share submodule, it removes the X-Frame-Options header for any route that matches entity.webform.share_page. The routing defined in the webform_share.routing.yml has a requirement that the entity access should be 'webform.submission_create'. So when we are restricting the forms to authenticated users only, we are basically voiding that requirement and hence the X-Frame-Options header is not removed.
Can this requirement be removed from the routing.yml file ?

πŸ› Bug report
Status

Closed: won't fix

Version

6.2

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia amarshkhl09

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024