Unauthorized access using non-interactive iframe embed

Agree with @3ventic. HTML5 is released for everyone, so you shouldn’t need to use the HTML5 query string parameter. Does removing that help?