javascript - Refused to display a frame because it set X-Frame-Options to 'DENY in android webview

Question

When I try to show the google calendar in webview , it show some error:

[INFO:CONSOLE(0)] "Refused to display 'https://accounts.google.com/ServiceLogin?service=cl&passive=1209600&continue=https://www.google.com/calendar/embed?src%[email protected]%26ctz%3DAsia/Hong_Kong&followup=https://www.google.com/calendar/embed?src%[email protected]%26ctz%3DAsia/Hong_Kong&btmpl=mobile&ltmpl=mobilex&scc=1' in a frame because it set 'X-Frame-Options' to 'DENY'.", source: about:blank (0)

And this is the html code

<p><iframe style="border: 0;" src="https://www.google.com/calendar/embed?src=etlwhk%40gmail.com&amp;ctz=Asia/Hong_Kong&amp;output=embed" width="800" height="600" frameborder="0" scrolling="no"></iframe></p>

And for the android side it is some simple webview code

        StringBuilder sb = new StringBuilder();
        sb.append("<HTML><HEAD><meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1.0'><style>img{display: inline; height: auto; max-width: 100%}iframe{width:100%}</style></HEAD><body>");
        sb.append(page.page_content_chi.toString());
        sb.append("</body></HTML>");
        webview.loadDataWithBaseURL("file:///android_asset/", sb.toString(), "text/html", "utf-8", null); 

How to fix the error? Thanks for helping.

Answer 1

You need to make your calendar public. This is what is happening -- as the calendar you are trying to display isn't shared publicly, Google Calendar first wants to know who you are in order to decide on what to show to you, so it sends you to the Google login page. The login page protects itself from click hijacking by disallowing displaying itself in an iframe (that's what 'X-Frame-Options' is set to 'DENY' means).

If you make the calendar publicly visible, Calendar will just show it, without trying to log you in first. On how to share the calendar, see this: https://support.google.com/calendar/answer/37083

You can trivially test on desktop whether this will work in WebView by creating a simple test page that embeds the calendar in an iframe, and then opening it in an Incognito window of Google Chrome, where you are not logged into Google services. Chrome will also be refusing to show Calendar until you make it publicly shared.