Why iframe doesn't work with google?

The main idea of my app is to login to google credentials with a pop up new window or an embedded auth website (iframe).
All good until I need to authenticate the user. The first approach was to create a new web tab with auth link and redirect to main app. the problem with this was the leftover webpage (initial) that doesn’t server any purpose. then I tried (unsuccessfully) with window.close, so look for some components that shows a popup window that takes care of the auth cycle. but I caaaaant make one based on html component or anything, simply just renders nothing!

I tried in many ways to put that in a iframe with the streamlit component iframe but it didnt work! its getting rejected because some policies against XSS (Content-Security-Policy) - script
Seems to be because of the request parameters that are out of my hands:

So… anyone that could give me a hand (with any solution) please… its really appreciated.

this are my thoughts:

  1. let it be
  2. close first window (auth process will redirect to it again but in a different tab)
  3. popup window to auth_url
  4. iframe object to auth_url

this Is the request made:
:method: GET
:scheme: https
:authority: accounts.google.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
Connection: keep-alive
Host: accounts.google.com
Referer: https://certificapp.streamlit.app/
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.2 Safari/605.1.15

this is the answer:
:status: 403
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Alt-Svc: h3=“:443”; ma=2592000,h3-29=“:443”; ma=2592000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Encoding: gzip
Content-Security-Policy: require-trusted-types-for ‘script’;report-uri /v3/signin//AccountsSignInUi/cspreport, script-src ‘nonce-chD5BddgWEV5dsSQ-LYWiA’ ‘unsafe-inline’;object-src ‘self’;base-uri ‘self’;report-uri /v3/signin//AccountsSignInUi/cspreport;worker-src ‘self’, script-src ‘unsafe-inline’ ‘self’ https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /v3/signin/_/AccountsSignInUi/cspreport/allowlist
Content-Type: text/html; charset=utf-8
Date: Fri, 08 Sep 2023 08:00:13 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
permissions-policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=*
Pragma: no-cache
Server: ESF
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
X-Content-Type-Options: nosniff
X-XSS-Protection: 0