I saw those invalid CSS widths and heights too, dejaworks. They're effectively being ignored in chrome, but definitely not correct syntax!

I've submitted feedback via https://feedbackassistant.apple.com/ about this.

I am running into the same issue, and wasn't able to determine the cause while using Chrome. On Firefox, however, the message was clearer: Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://x.example.com’) does not match the recipient window’s origin (‘https://y.example.com’). It appears the iframe is only allowed to do the "post" on the same origin as the page that opened the popup. This is not at all explained in Apple's documentation - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms. Is there no way to customize the iframe behavior of the Apple SDK so that additional origins can be allowed for the postMessage call? Currently, our auth service (which is what should receive the callback) is on a different subdomain than the page initiating the popup. Working around this won't be a trivial change for us.

Have you tried using Firefox? I noticed that the console on Firefox may give more useful error messages to help you determine why nothing happens on your step 4.