Closed HiroyasuNishiyama closed 3 years ago
Look really good - only question is if setting as the origin by default is too open for security ? I can see that for anyone actually using the node then the most likely setting will indeed be so it may be ok - or at least the most sensible default.
(Also I'm not sure if some users will know what origin means - or in this environment - who or what is the origin referred to - is it the browser running the dashboard - the instance of Node-RED - or the remote server serving the iframe ? (OK so yes, users can go look it up but... :-)
I'm happy to merge it.
Regarding origin parameter, I think that we have no other choice but to use *
as default because it depends on the implementation of the web page that accepts postMessage.
Not sure that I really understand this Origin bit. The Description of the node says * == no limitation but most of the time when I try to use a public url I get a cross origin issue ie :1880/ui/#!/4?socketid=87uW_VSbdZD3Y_t5AAAE:1 Refused to display 'https://geology.com/world/africa-satellite-image.shtml' in a frame because it set 'X-Frame-Options' to 'sameorigin'. Would this be expected. I can load the url properly from another tab on the same browser showing the Node Red UI
Proposed changes
This PR attempts to add a new UI widget node (
ui-iframe
) for embedding a Web page on Node-RED Dashboard. It also supports Web messaging API for interacting with the embedded page.Checklist
grunt
to verify the unit tests pass