Frame restrictions prevent remoteStorage apps from being run

[jancborchardt]

I want to port Litewrite to Sandstorm. When trying to connect to my remoteStorage, I got the following error:

Refused to display 'https://5apps.com/users/sign_in' in a frame
because it set 'X-Frame-Options' to 'SAMEORIGIN'.

The remoteStorage library uses OAuth, so it redirects to the provider for log in and then redirects back. Is there a possibility for apps to say it’s ok to redirect? Or what do you recommend we do?

cc @michielbdejong @skddc @galfert for @remoteStorage

[michielbdejong]

@jancborchardt runing a remoteStorage-based app (or any OAuth relying party, for that matter) inside an iframe is not going to work. If you want to host litewrite on sandstorm, then you can visit it on its public (not logged-in) URL, e.g. something like https://alpha.sandstorm.io/grain/Av3HccWRndkmSqMdtK73nM and then in Firefox you could right-click this Frame -> Show only this frame. That will give you a temporary URL that looks like https://alpha-k96cgwofjbb8wyn6p0cf.sandstorm.io/ and that is short-lived (will become a 403 when idle for too long). I guess sandstorm could offer a way to make this "show only this iframe" action automatic.

but:

i think the important consideration here is that you should host your data, and not your app, on sandstorm. About that, there is a discussion here: http://community.remotestorage.io/t/sandstorm-io-personal-cloud-platform/212/9

My 2ct

[raucao]

i think the important consideration here is that you should host your data, and not your app, on sandstorm.

Why not both? I think it'd make total sense to also host your open-source client-side web apps on the same thing that hosts your server-side apps, if you want to self-host them.

[jancborchardt]

Yup, I get your point here @michielbdejong. And for the solution I agree with @skddc that in the case of Sandstorm it would make sense to have both storage and the apps in the same place.

[ocdtrekkie]

Yeah, the goal is to have your data on the server, with your app. While support for external APIs through Sandstorm is coming (soon, they said), the main benefits of a secure sandbox app that is restricted from talking to the outside world is to ensure your data is kept private. Storing your data elsewhere kinda defeats the point.

[kentonv]

i think the important consideration here is that you should host your data, and not your app, on sandstorm. About that, there is a discussion here: http://community.remotestorage.io/t/sandstorm-io-personal-cloud-platform/212/9

Ideally, both the app and the data should be hosted on Sandstorm. If you host the app elsewhere, then the app will not be sandboxed (it could talk back to its home server*), it could disappear (like Google Reader), and it will not be able to interact with Sandstorm's unique features (unified login, sharing, powerbox, etc.).

That said, we will eventually support OAuth to third-party servers. I'd like for this to be mediated through the platform, such that apps never store OAuth credentials. For the moment, as a hack to get around the specific problem, you could probably do it by opening the OAuth flow in a pop-up window, but note that this will stop working at some point.

* Sandstorm's sandbox is incomplete. We will eventually prohibit client-side code from communicating with third-party servers without permission.

[ocdtrekkie]

I think I'm going to close this one, as it pertained to how to have an app on Sandstorm store it's data on some other server, when the preferred Sandstorm model would be to be the place your apps and data are securely stored.

Arguably, someone could make a remoteStorage app that stored it's data on Sandstorm using said spec, but then you'd risk losing the way to understand your data if the web app went away. It's also preferable in this case for your Sandstorm server to host your app as well.

Also, the Powerbox does exist now, and so allowing HTTP requests between apps and other servers is now possible. https://github.com/zenhack/hello-sandstorm-oauth is a great example app.