After the latest Obsidian update (0.10.11), I still can’t render an iframed Coda.io doc or form, despite the release note that says: You can now use iframe to embed sites that previously wouldn’t show. This is done by ignoring the X-Frame-Options that some websites use to prevent embedding.
The context-switching is so disruptive to my workflow. Does anyone know why this is the case, and if it will ever be possible?
I have played with the Iframe and had no issues; never tried Coda.io. Can you provide a link that won’t render for you? Could it be that you have to authenticate?
Thanks for your willingness to help. It really is Coda.io specific. I have no problem using iFrame with other web apps such as Todoist and Airtable (which also require authentication).
I just mocked up a Coda.io page here. I can view it in an Incognito window, so it should be publicly available. But I can’t get it to render in an iFrame in Obsidian. If you have any ideas, I’d appreciate hearing!
I’ll take a look when I take a break from work…
I don’t know the protocol for appropriately reaching out to the developers, or one of the really helpful moderators of the community, but I would really like to get to the bottom of this issue. @nickmilo or @ryanjamurphy – could you let me know the respectful and appropriate way to reach out to them? Can I “@” mention them here? Or is there a support email (for the life of me, I’ve been searching the main web site for it and can’t find one)?
Hm. Have you gotten a coda.io iFrame to work elsewhere?
Actually, you could try iframing it here?
You may want to open a bug report for this issue. (That’d be the appropriate way to get this to the devs!)
On support emails: The app is primarily community supported, hence the lack of an email. You can tag 'em but I encourage people not to (since more development time leads to more app development!) (They also catch things on their own once in awhile, and we (the mods) elevate things to the devs sometimes.
Hm. Can’t get it to work here, either. Could it be an issue with Coda? Other users seem to report similar problems: https://community.coda.io/t/can-coda-be-embedded-seamlessly-into-a-webpage/14083/3
@ryanjamurphy - Thanks for your help here! I’ll follow up on all your suggestions. I’m an early adopter/beta user for Coda and they have been fairly responsive (except @BenLee who is the moderator on that coda forum link you noted). And I’ll open a bug report here, but I suspect your intuition that it’s a Coda issue is correct – if it won’t work here, and it doesn’t seem to work in Incognito tabs (per the Coda link), and not in Obisidian docs, it seems to me they are doing something funky on their end. I’ll report back in case others are looking at the same problem.
Reporting back already…
 Like, you, I can’t get a valid Coda iframe to embed here.
 I can view a public Coda form in an Incognito window.
 I cannot view the exact same public Coda form in Obsidian
 Bug report is here
Hi there !
As I too would really like to be able to embed coda.io docs in my Obsidian notes, I just wanted to let you know that I also contacted the support about this !
After all, Coda docs are already embeddable so I don’t see why not in Obsidian .
And that would be so helpful .
… Wait and see … !
Update from Coda support - after going back and forth for a week with first level support, they escalated by inquiry to the developer team. They wanted to see what my browser console was throwing for errors, so I supplied that and am still waiting to hear back.
Oh ! That’s already a wonderful step in the right direction !
Thank you very much for this update !
If I get some info, from my side I’ll come back here .
Meanwhile, I’ll keep my finger crossed and hope this is just a bug on Coda’s side which might be easy to fix !
Hi folks - Coda developer here. I was able to reproduce the issue and on the surface, this looks like a bug in Obsidian to me. Happy to be proven wrong, though
When a Coda doc is normally rendered, we limit the ability to embed the doc for security by specifying a Content Security Policy rule:
frameAncestors: 'self' *.coda.io. This tells browsers to limit iFramed versions of the content to be from pages served within the origin domain (coda.io) and subdomains of coda.io, but no other sources.
However, we have a special form of the document we allow to be iframe embedded, available from the embed panel in the sharing dialog. This URL is of the form
https://coda.io/embed/<docId>. When that URL is requested, we append a
* to the CSP rule, enabling this document to be iFrame embedded by any site. The CSP rule here looks like:
frameAncestors: 'self' *.coda.io *.
My guess, without knowing too much about how Obsidian works under the covers, is that it is intercepting the browser-based load & render of the iframe, causing its embedded copy of Chrome to believe the page is coming from local content using something like a
data: URL which is outside the scope of the
* rule. If true, I would expect any service’s embed URL that uses the
frameAncestors CSP rule to similarly fail to render within Obsidian.
Regardless, if an Obsidian developer would like to reach out, I’m happy to chat offline and figure out a solution.
Indeed our initial bypass for X-Frame-Options doesn’t cover everything. We will also be adding added a Content-Security-Policy/frame-ancestors bypass in the coming version which should fix this issue.
Woot woot! Thanks so much for your efforts @Licat and @codachris. Also thanking @ryanjamurphy and @Chuckle123 for initial advice, and @Gadwood for persistence in calling attention to the mysterious issue. Obsidian + Coda = Awesome!
I should have thought about that too ! Sorry folks !
But from the bottom of my heart, thank you to all of you !
And I can only agree here !
Thank you very much for this precious info @WhiteNoise !
And thank you very much to the Dev’ Team, of course !!!