Custom email signature "HTML format (Optional)" no working.

Ok, I got a bit closer to the problem. I looked into the raw .eml's
It's 2 issues:

1. Apple mail indeed, doesn't somehow append the html part, if i send with sogo, all is fine, when the following second issue is good:
2. If I don't have any signature inside of the "pure text format input" and just signature in the "html input area", then the html doesn't get rendered, if both are filled and i send with sogo, html gets rendered.

Any content inside of the html inputarea is not being rendered in any email is send. No matter if there is content inside of the normal signature inputarea or not. The normal one works with no problems at all. I am sending my mails with apple mail UI, and for receiving I cross-checked with sogo, but they don't display the html signature either. I have setup my outbound server via postmark.

Can you give me your example html, that I can try?

When I try to set a custom "HTML format (Optional)" global domain wide signature, it doesn't apply the design.
Actually, any content inside of the HTML format (Optional) field doesn't get rendered at all.

Am I missing something, or is this a bug?

Thanks for the clarification and explaining the security implications. Would it work in a secure way, if the "iframe" app is on the same domain, f.e. iframe.cloudron.app ?

I have another question to this case. I am trying to add a custom interface dashboard, which embeds each of the cloudron apps as iframes into my UI.

While I made the iframe embedding work with adding the CSP like this:

frame-ancestors 'self' http://localhost:*;
I am not able to login into nextcloud via the embedded iframe. (after sending email and password, nothing happens)

Then for penflip is also different again, when pressing OpenID connection button: Refused to frame 'https://my.cloudron.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". (is there a way to enable custom CSP embedding for the whole my.cloudron.com as well?)

For Paperless this is the response:
Verboten (403)
CSRF-Verifizierung fehlgeschlagen. Anfrage abgebrochen.

Sie sehen Diese Nachricht, da diese Seite einen CSRF-Cookie beim Verarbeiten von Formulardaten benötigt. Dieses Cookie ist aus Sicherheitsgründen notwendig, um sicherzustellen, dass Ihr Webbrowser nicht von Dritten missbraucht wird.

Falls Sie Cookies in Ihren Webbrowser deaktiviert haben, müssen Sie sie mindestens für diese Seite oder für „Same-Origin“-Verbindungen reaktivieren.

Mehr Information ist verfügbar mit DEBUG=True.

For some other apps this works perfectly fine. f.e. directus

Is there a generell way of solving this nicely for any app?