Allow iframing the launch tab on localhost

[yaustar]

This would help developers workflows who are using PlayCanvas as part of a larger webapp such as within a react website or similar.

[tonetechnician]

Yeah, +1 for this! Exactly what is required for me to enhance developer flow

[slimbuck]

@yak32 presumably this requires just a slightly different content policy rule on our end?

[Icosaplex]

This would be really helpful

[DeaconDP]

+1

[tobowers]

+1 - our app has a somewhat complex relationship with the hosting page (requesting things like sending transactions, etc). And our host page puppets the game as well. I can do most of the testing using a test harness within the app, but the last mile of testing gets annoying with having to do builds all the time.

[willeastcott]

Hey @yak32 - can you give an update (when you're back) on the feasibility of supporting this?

[yak32]

Hey @yak32 - can you give an update (when you're back) on the feasibility of supporting this?

I need to discuss it with our security team.

[yak32]

our launch page uses authorisation cookie to authenticate requests (only authorised users are allowed to preview the current project). Cookie's SameSite attribute is set to 'Lax' to only allow same domain to receive an authorisation cookie for security reasons. Web pages in iframe only sends cookies with SameSite set to 'none'. Unfortunately we can't change our auth cookies to have SameSite 'none' for security reasons, so I don't see an easy solution without significant redesign of our authentication method for now.

[yak32]

one potential solution could be uploading some html as an asset, and embed a launch page there.

[yaustar]

I wonder if there is a Chrome extension that could be installed to force cross domain cookies for local development?

[yaustar]

Facebook (for instant games) have the ability to create test accounts that have read access permissions to the project.

It be a bigger job than I would like: related to https://github.com/playcanvas/editor/issues/791, a team/user could create a read only test user account that has a lower security cookie for read only access? The test account can't create or edit any projects etc

[tobowers]

could we do it with a local server with an API key?

On Wed, 16 Nov 2022 at 19:02, Steven @.***> wrote:

Facebook (for instant games) have the ability to create test accounts that have read access permissions to the project.

It be a bigger job than I would like: related to #791 https://github.com/playcanvas/editor/issues/791, a team/user could create a read only test user account that has a lower security cookie for read only access?

— Reply to this email directly, view it on GitHub https://github.com/playcanvas/editor/issues/668#issuecomment-1317434619, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAJ6UGMPC6U5PCUMBU3MLWIUOSXANCNFSM5MPETUAQ . You are receiving this because you commented.Message ID: @.***>

-- Topper Bowers

@.*** github.com/tobowers linkedin.com/in/topperbowers

[yaustar]

What do you mean by local server @tobowers ?

[yaustar]

New idea suggested from the forums: https://forum.playcanvas.com/t/running-tweakable-build-on-device-without-interactive-login/28867/4?u=yaustar

We could use the REST API token (or similar system) to use as an auth token when requesting the iframe as shown here: https://carstenbehrens.com/how-to-send-request-headers-iframe/

This doesn't require us to login and therefore doesn't have the cookie issue?

Maybe the token can be read only for extra security?

[tobowers]

What do you mean by local server @tobowers ?

I mean "npm run local-playcanvas-dev --project-id=abc"

[antoinemacia]

@yaustar this is pretty sound and also a common implementation for micro frontends;

One relatively simple pattern I see in SDKs that allow third party extension (where the endpoint is unauthenticated like the launch url), is to allow users to specify domains that would host PC launch links via the admin, and check the application key matches in the iframe URL

Would that comply to PC's security policies?