I believe this is caused by the way that https://hypothes.is
configures cookies with the `SameSite` attribute set to `Lax` - which is the recommended default for this attribute. See https://web.dev/samesite-cookie-recipes/
. As a result, `POST` requests made from iframes in a third-party website will not include cookies, such as the Login request.
The Hypothesis client avoids this issue by making login happen in a popup, but we haven't done that for https://hypothes.is/search
yet because that page is not currently designed to be embedded. For the moment you will need to create an external link which opens in a top-level tab, unless you are OK with the user being anonymous.