ui icon indicating copy to clipboard operation
ui copied to clipboard
verified publisher icon fancyapps

Allow disabling of "credentialless" on iframeAttr

Open chendo opened this issue 6 months ago • 2 comments

Is your feature request related to a problem? Please describe.

We're trying to upgrade from our licensed Fancybox v4 to v6. We have run into an issue where we are using iframes with credentials as a captcha mechanism, however due to the default value of credentialless being enabled, this is causing the captcha to not be able to persist a cookie across all browsers.

Describe the solution you'd like

I propose that if the value of a key in iframeAttr is falsey, it should not be set on the iframe.

Describe alternatives you've considered

I've tried the following:

Html: {
  iframeAttr: {
     credentialless: false
  }
}

Html: {
  iframeAttr: {
     credentialless: "no", 
  }
}

Html: {
  iframeAttr: {
     credentialless: null, // sets credentials="null"
  }
}

I've tried crossorigin="use-credentials", which does override credentialless in Safari, but doesn't work in Chrome.

I have also tried to use various hooks to try to modify the iframe before it gets attached to the DOM to no avail.

Additional context

No response

chendo avatar Jun 20 '25 04:06 chendo

Hi,

The Html plugin has been moved to the Carousel to allow for an "inline Fancybox" effect. So you can set the parameters like this:

Fancybox.bind("[data-fancybox]", {
  Carousel : {
    Html : {
      iframeAttr: {
        allow: "autoplay; fullscreen",
        scrolling: "auto"
      }
    }
  }
});

fancyapps avatar Jun 20 '25 08:06 fancyapps

@fancyapps We use Fancybox.show to invoke in this scenario, and I had left out the Carousel bit in my example to keep it cleaner, but that was what I was doing, and the problem is that I cannot remove the default credentialless: "" definition due to how the defaults are merged and the attributes applied.

// defaults definition
const a = {
    iframeAttr: {
      allow: "autoplay; fullscreen",
      scrolling: "auto",
      credentialless: ""
    }
  },

// ...

// code that merges and applies attributes
for (const [e, o] of Object.entries(function () {
  const e = null == i ? void 0 : i.getOptions().Html;
  return t(e) ? Object.assign(Object.assign({}, a), e) : a;
}().iframeAttr || {})) l.setAttribute(e, o);

If the above snippet was modified to something like if (o) { l.setAttribute(e, o) } so only truthy values were set, then that would resolve my issue.

chendo avatar Jun 21 '25 00:06 chendo

Closing as I was unable to reproduce the error after revisiting the issue

chendo avatar Jul 03 '25 07:07 chendo