Plan

Premium

Country

Argentina

Device

(Macbook Pro late 2020)

Operating System

(macOS 15.4.1 (Sequoia))

My Question or Issue

Hi everyone,

I’m working on a web-based project where I embed public Spotify playlists using the official embed URL format:

https://open.spotify.com/embed/playlist/{playlistId}

Until yesterday, everything was working perfectly: users with an active Spotify session could see the embed and play music directly from the iframe, no extra login required. Then, overnight, this behavior broke — without any changes on my end.

The embed still loads visually, but tehre are no playback controls. The browser console throws the following error:

Refused to frame 'https://accounts.spotify.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://open.spotify.com".

This suggests that Spotify is now blocking iframe playback from external domains, even when the user is already logged in via the browser.

What I’ve already tried:

• Confirmed the playlist is public.

• Used the official Spotify embed URL as recommended.

• Ensured the user is logged in to Spotify in the same browser.

• Removed all query params like view=list or theme.

• Tried in different browsers and environments (dev + production).

Despite all this, the embed no longer allows playback and consistently throws the same CSP error.

My questions:

1. Has there been an official change to the embed behavior or CSP restrictions recently?

2. Is there any supported way to enable playback from the embed iframe without using the full OAuth + Web Playback SDK flow?

3. Is this the expected behavior now, or is this an unintended regression?

This change happened literally overnight. I implemented the embeds yesterday, tested across devices — everything worked. Today, it’s broken without touching a line of code.

Any clarification or guidance would be greatly appreciated. Thanks!