/
Using An iframe

Using An iframe

Owned by Jonathan Schmale
Last updated: Jan 29, 2025
3 min read

If your instance of Flow is going to be included inside an iframe for your uses - then some custom configuration is required. If you don’t you won’t be able to login inside the iframe.

Requires Flow build 16.11.4.1 or greater.

Configuration Changes

In your configuration folder of you Flow instance make the following changes:

C:\inetpub\wwwroot\chameleon\Configurations

  1. With the file named session.settings.config

    1. Create a backup of the file

    2. Edit the file

    3. Replace its contents with the contents from the file session.settings.iframe.config

  2. With the file named httpcookies.settings.config

    1. Create a backup of the file

    2. Edit the file

    3. Replace its contents with the contents from the file httpcookies.settings.iframe.config

  3. You may need to delete the cookies that your browser is caching to allow the new changes to take effect.. The steps for deleting cookies will vary depending on what browser you use. 

 

image-20241126-202542.png
the files to be modified inside the Configuration folder

Clear Your Cookies

If after making these changes you still cannot login - you likely need to clear your cookies. The steps for deleting cookies will vary depending on what browser you use. 

Notes

The web.config file references the modified configuration files.

image-20241126-202725.png

Safari - Permission Required

Safari blocks all third-party cookies by default. To get access to cookies - which we need to even login - we have to use the Storage Access API to request access. That’s after having the user at least click on the site when it’s not framed and create a cookie there.

They describe the requirement here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/

Storage Access API documentation

Storage Access API - Web APIs | MDN
Document: hasStorageAccess() method - Web APIs | MDN
The Storage Access API

More references

Third-Party Cookie Restrictions for Iframes in Safari
Safari 13+ iframe blocks CORS cookies

 

-- This means that in effect, the existing cookie must also be set on the same exact sub domain.
Cannot set cookie in iframe using the Storage Access API on Safari

Safari Login Process

With version 16.12.5.4 there is a possible Safari login process that will look something like this:

The user will try to login but then will encounter an error at which point a new button will appear:

The user needs to click the Enable Sign In… button which pops up a page from the site which the user is prompted to enable the use of cookies.

 

When the user clicks the Enable Login button it returns with a message telling them they can now close this window and return to the previous site.

 

When they return to the original site - they should refresh the page and try to login again. Then they will be prompted to allow cookies.

 

After they click allow - they need to:

  • refresh the site again

  • try to login again

at which point they should be able to successfully login.

Future logins won’t prompt them to redo this for some time. I believe Safari requires the user to have direct access to the original site every 30 days. (This is what the popup “My Authorization” page does for them.

Testing Safari - Reset

If you’ve already tested this process on an iPhone and want to reset it to try again - you have to Clear History.

  • Settings

  • Apps

  • Safari

  • Clear History and Website Data