https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6935727#M17683 <P>Ok it was an AI hallucination, I guess. Does anyone have any other ideas? Would really appreciate it.</P> Fri, 25 Apr 2025 19:26:38 GMT hq9000 2025-04-25T19:26:38Z https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6932874#M17661 <P><SPAN>Hi all, i've embedded spotify widget to me website (iframe) but it under certain circumstances gives me the following error when I'm logged in to spotify.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Refused to frame '</SPAN><A href="https://accounts.spotify.com/" target="_blank" rel="nofollow noopener">https://accounts.spotify.com/</A><SPAN>' because an ancestor violates the </SPAN></P><P><SPAN>following Content Security Policy directive: "frame-ancestors&nbsp;</SPAN><A href="https://open.spotify.com/" target="_blank" rel="nofollow noopener">https://open.spotify.com</A><SPAN>".</SPAN></P><P>&nbsp;</P><P><SPAN>If I log out of spotify, it starts working (showig tracks previews).</SPAN></P><P>&nbsp;</P><P><SPAN>In one browser it helped me to log out/in from spotify. In another it did not.</SPAN></P><P>&nbsp;</P><P><SPAN>Any idea?</SPAN></P> Wed, 23 Apr 2025 15:52:19 GMT https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6932874#M17661 hq9000 2025-04-23T15:52:19Z https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6933048#M17663 <P>Hey! How are you?</P> <P>&nbsp;</P> <P>As a developer, I do believe that this error is related to Spotify's Content Security Policy (CSP) and the way Spotify handles authenticated sessions within an iframe.</P> <P>&nbsp;</P> <P>When you're logged into Spotify, the player tries to access domains like <A href="https://accounts.spotify.com" target="_blank">https://accounts.spotify.com</A>, but this domain doesn't allow it to be displayed in iframes from sites other than Spotify itself (due to security policy). That's why the browser blocks it and generates the error.</P> <P>&nbsp;</P> <P><STRONG>But why does it work when you're logged out?</STRONG></P> <P>Because when you're not logged in, the Spotify widget only shows previews of the tracks — and doesn't try to authenticate the user. So there's no attempt to load accounts.spotify.com and the block doesn't occur.</P> <P>&nbsp;</P> <P><STRONG>Possible solutions and suggestions:</STRONG></P> <P>&nbsp;</P> <P><STRONG>Use only the preview player (unauthenticated)</STRONG></P> <P>If the goal is to just show songs/artists to visitors to your site, leave the iframe as is, without forcing a login. This ensures that it works for everyone, even if they are not logged in.</P> <P>&nbsp;</P> <P><STRONG>Avoid relying on the user's logged in session in the widget</STRONG><BR />The Spotify widget is not designed to provide a seamless login experience across domains. For custom experiences, it would be best to use <A href="https://developer.spotify.com/documentation/web-api" target="_self">Spotify's Web API</A> with OAuth authentication, which can be done outside of the iframe.</P> <P>&nbsp;</P> <P>Keep me updated if I can continue to help you.</P> <P>&nbsp;</P> <P>Cheers,<BR />ribezaz</P> Wed, 23 Apr 2025 18:19:51 GMT https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6933048#M17663 ribezaz 2025-04-23T18:19:51Z https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6933533#M17671 <P>hi, thanks for a thorough answer.</P><P>&nbsp;</P><P>1. weirdly, sometimes it DOES work even when I'm authenticated (providing full quality playback, ability to add to my playlist etc.). Why can that be? For me it suggests that the embed is actually <STRONG>supposed to work</STRONG> in this case and we are dealing with a bug or a misconfiguration on my end.</P><P>2. In general, I'd be fine with only providing preview. <STRONG>But how can I enforce that</STRONG>? For now, if a visitor happens to be an authenticated spotify user, my embed doesn't work (at least part of the time) because of content security policy?</P><P>&nbsp;</P><P>Thanks,</P> Thu, 24 Apr 2025 05:33:40 GMT https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6933533#M17671 hq9000 2025-04-24T05:33:40Z https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6934016#M17673 <P>For the first question about why it sometimes works when authenticated - this is likely because Spotify's authentication flow can behave inconsistently in embedded contexts. When it works while authenticated, it might be because:</P> <P>&nbsp;</P> <P><STRONG>The authentication token is being handled differently in certain browser sessions</STRONG><BR />Spotify might have different CSP implementations across their various subdomains<BR />Your particular embed configuration might occasionally satisfy the security requirements</P> <P>&nbsp;</P> <P><STRONG>Regarding the second question about enforcing preview mode only, you have a few options:</STRONG></P> <P>&nbsp;</P> <P><STRONG>Use the explicit preview embed URL format that Spotify provides, which looks like:</STRONG><BR /><A href="https://open.spotify.com/embed/track/ID?utm_source=generator&amp;theme=0&amp;preview=true" target="_blank">https://open.spotify.com/embed/track/ID?utm_source=generator&amp;theme=0&amp;preview=true</A><BR />The key parameter here is preview=true which should force the preview mode.</P> <P><BR /><STRONG>Add parameters to disable authentication features:</STRONG><BR /><A href="https://open.spotify.com/embed/track/ID?utm_source=generator&amp;theme=0&amp;view=coverart" target="_blank">https://open.spotify.com/embed/track/ID?utm_source=generator&amp;theme=0&amp;view=coverart</A><BR />The view=coverart parameter tends to simplify the embed and reduce authentication needs.</P> <P><BR />Consider using the Spotify Web API directly instead of iframes if you need more control over the behavior, though this requires more development work.</P> Thu, 24 Apr 2025 13:18:15 GMT https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6934016#M17673 ribezaz 2025-04-24T13:18:15Z https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6934843#M17678 <P>tried "preview=true" - no any effect. It does not affect the behaviour of the embed.&nbsp;</P><P>&nbsp;</P><P>Is there any documentation for this query parameters for embeds? Can you give a link?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 25 Apr 2025 03:46:33 GMT https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6934843#M17678 hq9000 2025-04-25T03:46:33Z https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6935727#M17683 <P>Ok it was an AI hallucination, I guess. Does anyone have any other ideas? Would really appreciate it.</P> Fri, 25 Apr 2025 19:26:38 GMT https://community.spotify.com/t5/Spotify-for-Developers/iframe-embed-giving-Content-Security-Policy-error/m-p/6935727#M17683 hq9000 2025-04-25T19:26:38Z