This technique works best for folders with public access. Folders that are shared only with certain Google accounts can cause trouble when you embed them this way, depending on which Google accounts are active on the user’s browser:
- If the user has not logged in to any Google account, then nothing appears in the frame.
- If the user is logged onto an account without authorisation to access the folder, the frame will contain the message You need permission, with some buttons to Request access or Switch accounts, but if you click on this last, the frame blanks out.
- If the user logs into an account without proper permissions, and later adds the authorised account, on loading the embedded Drive Google will resort to the first active account, and the user will see You need permission, unless…
- If the URL contains a Google Suite domain, and the user is logged into that domain’s account, the embedded view will work, even if the user logged to another account first.
The blank frames are because Google forbids embedding its login page in an IFRAME (presumably to prevent account stealing), via the
X-Frame-Options header, which if set to
SAMEORIGIN will cause any well-behaved browser to refuse to load the page if it’s not in the same domain (v.g.
drive.google.com). You can see this in the developer console of your browser.