CF_Authorization cookie not passed to iframe

Zero Trust Access
#1

We’re using ZTN (and it works).
I want to embed into iframe the content served on one of tunnels.

I have a dummy hello-tunnel in cloudflared.

The page opens normally and here are the response headers:
Status: 200

Response Headers (likely not important)
  1. alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400
  2. cf-cache-status: DYNAMIC
  3. cf-ray: …
  4. cf-team: …
  5. content-encoding: br
  6. content-type: text/html; charset=utf-8
  7. date: Sun, 18 Dec 2022 19:12:56 GMT
  8. nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
  9. report-to: …
  10. server: Cloudflare

Now, when I put it into an iframe, a redirect appears:

  1. Status Code: 302
  2. Remote Address: …
  3. Referrer Policy: strict-origin-when-cross-origin
Response Headers (likely not important):
  1. access-control-allow-credentials: true
  2. alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400
  3. cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  4. cf-ray: …
  5. cf-team: …
  6. date: Sun, 18 Dec 2022 18:52:43 GMT
  7. expires: Thu, 01 Jan 1970 00:00:01 GMT
  8. location: …
  9. nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
  10. report-to: …
  11. server: Cloudflare
  12. vary: Accept-Encoding

PS. I want to point that in the headers there is nothing related to CSP (content security policy) and no x-frame-options.

Update: After looking here: Authorization cookie · Cloudflare Zero Trust docs
I realized that this is probably because of CORS (same site iframing works, but I need an iframe on other domain).

Update 2: I found settings for CORS in application tab in ZTN, probably that’s what I was looking for.
I believe I’ve checked all options, but CF_Authorization not passed in iframe and I still get 302 to mysubdomain.cloudflareaccess.com, and that domain is not embeddable. I’ve checked in chrome and firefox, and I can access non-iframed version perfectly, but not an iframed one.

My current setup:
Access-Control-Allow-Credentials: yes
Access-Control-Max-Age (seconds): 100
Access-Control-Allow-Origin: https://website-with-iframe-in-page.com
Access-Control-Allow-Methods: allow all
Access-Control-Allow-Headers: allow all

Same-site: None
HTTP Only: true
Enable Binding Cookie: false

#2

The same here. X-Frame-Options is set to DENY in Cloudflare headers.

The Cloudflare team could perform the addition of a configuration for this issue. I have an Android app and I can’t access my secured sites from it as pretty much the entire Android framework uses iframes internally from the webview.