Update iFrame guidance re location premissions

[dadofsambonzuki]

Update Embedding Guidance when known to prevent cross-site geolocation errors.

[PeterRounce]

I have got this working on a test site and the Bolt Card website.

It seems to need allow="geolocation" in the iframe link as a minimum.

Additionally, I added the http header permissions-policy: geolocation=* and some Javascript to get the location on the referring page.

<script>
  if (navigator.geolocation) {
    navigator.geolocation.getCurrentPosition(() => {})
  }
</script>

Once it was working, it seems to be ok to remove the http header and Javascript.

I'm not that certain of the mechanisms at work here so would like someone else to have a look as well please.

[secondl1ght]

Thanks for doing the research on this @PeterRounce! I will do some more testing and then update the README with the solution.

[secondl1ght]

I have updated the README with the instructions that I think are the most accurate - @PeterRounce do you mind trying this on your site and confirming that it works please?

[PeterRounce]

I've updated the http header from permissions-policy: * to permissions-policy: geolocation=https://btcmap.org on the Bolt Card website and it has the error back

I note that the temporary test site has no http header but uses the JS to get location and still works.

I didn't want to put a request for location to the user on loading the Bolt Card website because it's not clear to them why I am asking for that permission at that point.

[secondl1ght]

@PeterRounce can you try adding it in the exact same format as readme? It should be: Permissions-Policy: geolocation=("https://btcmap.org")

[PeterRounce]

I have updated it in AWS Cloudfront as below. The header name is lower cased by Cloudfront and should not make a difference.

We get the same error as before.

[PeterRounce]

trials show that this works
Permissions-Policy: geolocation=(self "https://www.btcmap.org")