Our web app integration loads https://app.hubspot.com/login/ inside an iframe instead of a pop-up window, so it doesn't trigger browser pop-up blocker that is anoying for users. It has been working fine until recently. I noticed https://app.hubspot.com/login/ page has "X-Frame-Options: sameorigin", which prevent the login page to load. Is this an intentional change recently? Is pop-up window the only option to integrate hubspot sign-in UX into a web application? Thanks!
This appears to occur whenever you have no cookies related to hubspot's DOS protection through cloudflare. If you have not been to a hubspot domain within the given browser, you can not load the DOS protection check within an iframe.
To recreate, in any browser clear the cookie "cf_clearance" for the "hubspot.com" domain. There is a second cookie, but it does not effect this (seemingly). Once you've done that, attempt to load the login via iframe, and it will fail. Going to the login in a separate tab will work (showing the DOS protection first), then from there that browser will be good.
Unfortunately for me, opening the login in another tab will not really work, as I have a desktop app with electron. Is there any way around this?
I'm not aware of any way around the behavior you've described.
Forgive me, as I'm not familiar with desktop app development, but would you be able to use a pop-up, as the original poster suggested? (I recognize that may not align with the UX you're going for, however.)
Particularly, that it will not work until a hubspot-hosted page is visited and cf_clearance cookie is set. Another way would be to remove the iframe from the example and recommend not using the iframe. Either way, I'm just curious what the intended use of that is, or if the hoops to jump to make it work are entirely anticipated and expected.
What I imagine we will end up doing is attempting to load the iframe, and if it fails then display some information from your API, with a link to view in hubspot (opens a new tab, or window in desktop). I've read some other forum posts regarding the timeline, and how that information is not easily browseable via the API (altogether at least), otherwise I would drop the iframe altogether and attempt to recreate that embed page myself.
I'm trying to replicate the behavior you described, but want to make sure I understand you correctly.
I've embedded a contact's timeline via IFrame on a non-HubSpot page. I clear all cookies in the browser (Opera in VPN mode), navigate to the page, and click the Log in to HubSpot CTA. The login page (app.hubspot.com/login) opens successfully in a pop-up and I can log in.
Are you forcing app.hubspot.com/login to open in an IFrame? If so, how?
I'm a little confused by what you wrote. If you embed the link in an iframe, and are not logged into hubspot, you will see the login page (app.hubspot.com/login) right in the iframe (assuming you have the cookie). The flow, when it works, has no popups. There is no "Log in to Hubspot" CTA. A popup immediately suggests there is something else in on your page besides the iframe.
In the failure case, Chrome displays a little icon with a page with a frown, and Firefox just displays a white box. If you see anything further than that, it would appear it is sending the cookie. I have note tested in Opera, but I see not reason to think it would work there, as I doubt the sameorigin rule could be ignored.
Some of our users were affected by either of the two issues, which prevents them from logging in Hubspot account. When we tried to repro it locally, we can only repro intermittently, which really threw us off. Our users are not technically savy to help us gather debugging info.
I'm guessing there is similar heuristics on hubspot sign in page server side that decide whether SAMEORIGIN header will be added.
I get it hubspot needs to protect agains attacks. But the implementation is far from ideal. It is hurting ligitimate users that uses desktop based integrations. This is very frustrating, because the nondeterministic behavior and the possible heuristics behind it is a black box!!
Isaac had sent me a private message, which I responded to, but received no response, so I wanted to follow up here. Recreating this is 100% reliable, and I've put steps below (pasted from my private message). I have not seen the other issue that you mention, at least not yet.
@james-criscuolo, thank you so much for clarifying. I believe I am deleting the cf_clearance and csrf cookies from hubspot.com, however I am still seeing the "Log in to HubSpot" CTA load in an iframe.
I've sent you a screencast of my actions via DM. Would you mind pointing out what I'm missing?
I have the exact same problem but with the Chrome Extension.
Even if I try to open the extension while on my Hubspot dashboard I get:
Refused to display 'https://app.hubspot.com/login/?loginRedirectUrl=https%3A%2F%2Fapp.hubspot.com%2Factivity-feed-embedded%2F5202745%2Fall%3Fsource%3Dextension&loginPortalId=5202745' in a frame because it set 'X-Frame-Options' to 'sameorigin'
If so, this thread discusses behavior very similar to what you're describing and was also opened four weeks ago. @jennysowyrda's instructions here resolved the behavior for at least four users.