Hi Front team,

We’re building a sidebar plugin that loads our plugin page https://samplesite.com/front-plugin inside the Front UI. Front adds ?auth_secret=… to our iframe URL, and we’re trying to
  bootstrap the SDK per the docs:

  <script src="https://app.frontapp.com/scripts/sdk.js?auth_secret=…"></script>

  Our page (HTTPS, same origin as the SDK allow‑list) loads one script at a time and retries the fallback URLs:

  - https://app.frontapp.com/scripts/sdk.js
  - https://app.frontapp.com/plugins/sdk.js
  - https://app.frontapp.com/static/frontend-plugin-sdk.js

  For each request we append the auth_secret from the iframe URL. We also guard against multiple insertions, remove existing script tags, and even tried adding
  type="module".

  What we’re seeing
  In Firefox and in Chrome the script load always fails:

  - The browser console shows:
    Access to script at 'https://app.frontapp.com/scripts/sdk.js?auth_secret=…' from origin 'https://www.samplesite.com' has been blocked by CORS policy: No 'Access-
  Control-Allow-Origin' header is present on the requested resource.
  - The network log confirms each request gets a 302 redirect with Location: /signin?redirect_url=….
  - Because the response is HTML (the sign-in page) the script never loads and window.Front is undefined.
  - Here’s a snapshot from the HARS:

    Request: GET https://app.frontapp.com/scripts/sdk.js?auth_secret=010eXXX
    Response: 302 -> Location /signin?redirect_url=%2Fscripts%2Fsdk.js%3Fauth_secret%3D010eXXX

  Environment

  - Front sidebar iframe (origin https://www.samplesite.com)
  - auth_secret present in the iframe URL
  - Firefox 129 on macOS (ETP on and off both tested)
  - Chrome 128 (with and without third-party cookie blocking extensions)

  What we’ve tried

  1. Adding auth_secret to every SDK URL.
  2. Running from HTTPS with a valid certificate.
  3. Testing multiple SDK URLs (per the docs and the community post on cookie replacements).
  4. Logging window.location and postMessage data to confirm we’re inside the Front iframe and receiving data from Front.

  Despite all that, the request always redirects to /signin and never serves JavaScript. If we open the SDK URL directly in a top-level tab while signed in, it succeeds; only the iframe context triggers the redirect.

  Questions

  - Is there an additional parameter or header we need to send with the script request when using auth_secret?
  - Are there new domain or CSP requirements that we might be missing?
  - Has the SDK moved to a new URL/host we should rely on instead?
  - Is there an official way to load the SDK without relying on cookies (as per the “Replacing third-party cookies in Front plugins” announcement)?

  Any guidance would be greatly appreciated-we’re blocked on inserting content into the Front composer until we can load the SDK reliably.

  Thanks!