Exercises the common ways a third-party site might reference a URL — iframe, sandboxed iframe, fetch(), window.open(), plain anchor — and reports which actually work from this page's origin. Built to verify that app.dev.nymiz.com/viewer/ can be embedded by customer sites.
Standard cross-origin iframe. iframe loading is not subject to CORS — it's governed by X-Frame-Options and Content-Security-Policy: frame-ancestors on the embedded page. If the frame below renders the viewer, embedding works. If it stays blank, one of those headers is blocking it.
The load event fires either way (browsers don't expose framing-block as an error), so visual inspection is the source of truth here. Cross-origin iframe contents are not introspectable from this page — that's the same-origin policy, working as intended.
Same as test 01 but with sandbox="allow-scripts allow-same-origin allow-forms allow-popups". Security-conscious customers may wrap iframes in a sandbox. If the viewer needs capabilities not in this set (storage access, top-navigation, etc.), it will be broken here even though the bare iframe works.
Embeds content via the data attribute (not src). Subject to the same framing protections as <iframe> — X-Frame-Options and CSP frame-ancestors. If iframe (01) works, this usually does too. The element supports fallback content shown when loading fails outright, which can give a clearer signal than a silently-blank iframe.
Rarely used for HTML in modern customer sites — mostly historical (PDFs, SVG, plugins). Included because some CMS templates still generate it.
Embeds via the src attribute. Like <object>, governed by the same framing protections as iframes. Browser behaviour for HTML content inside <embed> is inconsistent — load events are unreliable and there's no fallback mechanism. Last-resort diagnostic; most useful when a customer reports an oddly-shaped embed-tag-based integration.
CORS-mode GET request. Succeeds only if the response carries Access-Control-Allow-Origin matching this page's origin (or *). For a static HTML page on app.dev.nymiz.com, that header is almost certainly not set — so this is expected to FAIL from any third-party origin. That's correct and intended: customers embed the viewer in an iframe, they don't scrape it.
A no-cors fetch reaches the server but returns an opaque response: status is forced to 0, body and headers are unreadable. Use this to confirm the network path works at all (DNS, TLS, routing), independently of CORS. Anything beyond "the request was sent" requires the browser's Network panel to inspect.
Opens the URL in a new tab. Not embedded, not CORS-restricted. Useful as a control: confirms the URL itself is reachable and renders correctly, isolating any "is the URL broken" question from any framing question. Popup blockers may interfere if the click isn't recognised as a user gesture.
The most permissive case: navigation via a real anchor element. No CORS, no framing, just a link. If this fails, something is very wrong at the network or DNS layer.