CSRF verification failed when logging into invitation link in embedded iframe

Hey Everyone!

I’m attempting to get a read-write invitation link to work when embedded in an iframe. I want to allow editing of the seatable from within the iframe, otherwise, I would use an external link (read-only).

The iframe can load the invitation link without problem, loading the login screen asking for “Email or username or phone number” & “Password”. The invitation link URL being loaded looks like this:


Once I enter credentials and click “Log In”, I get the following error. Is there any way to get around this?

Forbidden (403)

CSRF verification failed. Request aborted.

You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.

1 Like

Welcome to the SeaTable forum!

Please check your dtable_web_settings.py if you set these parameters: dtable_web_settings.py - SeaTable Admin Manual

Hey, see_felix,
iframes lead to vulnerabilities and can be abused, for example by clickjacking. Therefore, we decided to forbid all iframes on cloud.seatable.io. We made this decision to improve the security of SeaTable Cloud and to protect our customers. All URLs of cloud.seatable.io will have the header “X-Frame-Options: SAMEORIGIN”.

The only exceptions to that rule are the following three pages:

  • /dtable/view-external-links/
  • /dtable/external-links/
  • /dtable/external-apps/

These are the URL or all shareable thinks (bases, views and external apps) in SeaTable. These can still be embedded into other websites. These links are all read-only; therefore there is no risk of clickjacking.

Your posted invite-link will still work, but it will not work inside an iframe.

Best regards,

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.