Embed editable project

[luchotc]

Hi, i was wondering if you are planning to add the possibility to embed the project creation page and not only the running project. I'm currently making a tutorial on how to use scratch and it would be very useful for me to be able to do so. Thanks!

[fedescarpa]

That feature would be awesome!

[joker314]

This is a nice idea.

There's a risk of a security vulnerability called 'Clickjacking' where a user is deceived into performing state-changing actions in a hidden embedded page. In this attack, the attacker overlays her own content over the embed, but directs all the clicks to the hidden embedded layer underneath. We could do (one of):

• not care: why would someone be deceived into sharing an empty project?
• Request the user to enter their password before performing a state-changing action. This was a bad idea. Passwords should only be entered on the Scratch website, and users should be taught that.
• disable features like 'share', instead let these be links to the editor in a new tab (directly on the Scratch website)

[kyleplo]

@luchotc Possible solution to @joker314 's ideas: What if the project wasn't signed in by default. Clicking sign in (or join scratch) would open a new tab with a login form, where the user could choose to login or not. Logging in would result in the login page redirecting to the project page, while canceling would close the login tab.

Possible Design:

[thisandagain]

@luchotc Great question! We actually used to have this feature and unfortunately had to disable it because of the threat (and an actual implementation was found in the wild) of Click Jacking. As @joker314 points out there may be some ways to mitigate the issue, but it's a complex security area.