Closed twMat closed 2 years ago
simonbaird
commented
2 years ago Not intentionally blocked for frames, but we do block cross site access by default.
I tried it and I can see this in the chrome console:
Refused to display 'https://simon.tiddlyhost.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.Perhaps Tiddlyhost could allow cross-site frames amongst sites that you own.
What's the use case?
twMat
commented
2 years ago What's the use case?
I'm setting up two basically identical wikis - red and blue - to demo the Federation plugin, i.e a plugin that allows fetching of tiddlers from other wikis (that also have the Federation plugin installed). The iframes are to be used so you can investigate the other wiki before you import from it.
Perhaps Tiddlyhost could allow cross-site frames amongst sites that you own.
Hm, TH does allow cross-site iframes to external servers, e.g tiddlywiki.com ...so why can't it just fully allow cross-site iframes to all TH wikis?
twMat
commented
2 years ago (bump)
simonbaird
commented
2 years ago I guess it's related to this header:
X-Frame-Options: SAMEORIGINI don't understand all the clickjacking risks, and maybe they're negligible, but I'd rather be cautious.
Are you still thinking you need that for your demo? Maybe it could be configurable, so you could enable it explicitly for your sites if you want. FYI the configuration would be "Allow this to site to be used in a iframe", so you'd check that option for a site and then it would become usable in an iframe.
simonbaird
commented
2 years ago https://www.youtube.com/watch?v=_tz0O5-cndE makes it pretty clear. I guess the real risks would be low for a TW site. You could imagine a contrived scenario where a malicious site tricked you into deleting a tiddler and clicking save, but it seems unlikely to be a practical concern. As long we disallow iframes on the main site url, since there is a "Delete account" button exactly like the clickjacking demo in that video.
twMat
commented
2 years ago @simonbaird , thanks for your thoughts.
the configuration would be "Allow this to site to be used in a iframe", so you'd check that option for a site and then it would become usable in an iframe.
Yes that would be useful for the demo I mention here above. Thank you.
Regarding the safety measures, I don't understand why iframing other TH sites should be more dangerous than iframing totally external sites. (As I mention above, it works to show e.g tiddlywiki.com in an iframe on a TH site.)
simonbaird
commented
2 years ago The risk is for the site inside the frame.
simonbaird
commented
2 years ago Should be working now, but you have to first enable it in site settings. @twMat let me know if it works for your demo.
In a tiddlyhosted wiki, an iframe to another tiddlyhosted wiki don't work, even public tiddlyhost sites.
<iframe src="https://xxxxxxxxxx.tiddlyhost.com/" width="100%" height="500" frameborder="0"></iframe>Is it intentionally blocked or could this be fixed?