When I enter my page in Incognito mode it shows just Grist logo in the iframe and keeps loading.
I get the following error:
However, when I access my page on the browser window which is logged into Grist it shows embedded widget correctly.
Surprisingly, when I paste the iframe’s src path directly into browser address bar in Incognito mode, it also shows the embedded version of the widget correctly.
This is related to the “third-party cookies” policy in the incognito tab. To test how your site looks for an anonymous user you can temporarily turn off this policy. You can find it on the incognito mode start page. For example in chrome:
Grist is not storing any tracking cookies, but is using localeStorage to store user preferences, and access to localStorage (from external domains) is controlled by the same setting in the incognito mode.
You can also test if it works by logging out of Grist and visiting your page (of course not in incognito mode )
Thanks @jarek - indeed it works this way. Pozdrawiam
BTW I noticed in the embedded widget in read-only mode there is still possibility to view items that were originally filtered off (you cannot save the changes to filtering but you can still scroll through the complete table).
I think it can lead to unintentional data breach - my feel would be that data shall not be either viewable or even sent via api call.
Yes, this is by design, but maybe it is not clearly explained in the documentation. Filters are a client-only feature, to properly secure your data, you can use access rules, which can limit the number of rows or even columns that are visible to anonymous users.
Regarding the localStorage issue, we are working on a fix that will allow using incognito mode with embedded documents.
)