search

visual-tools / tm-globe

GNU Lesser General Public License v3.0
0 stars 0 forks source link

how to integrate into tm's website #7

Open christopherreay opened 6 years ago

TapdancingRodent commented 6 years ago

As far as I can tell we can't embed the app because WordPress has restricted it's iframe API out of security concerns. Either way we're likely to run into Cross-Site Scripting protection problems unless we can get the app also running on their servers. The neatest way to do this is some kind of reverse proxy (most people use nginx) but that is something we need to talk to them about. Alternatively, it might be possible to host it with native WordPress functionality but I'm not familiar enough with WordPress to say either way.

tyeth commented 6 years ago

It looked like wp-d3 plugin has the functionality. Just need to upload the assets and change references.

On 9 Sep 2017 11:27 a.m., "TapdancingRodent" notifications@github.com wrote:

As far as I can tell we can't embed the app because WordPress has restricted it's iframe API out of security concerns. Failing that, we're likely to run into Cross-Site Scripting protection problems unless we can get the app also running on their servers. The neatest way to do this is some kind of reverse proxy (most people use nginx) but that is something we need to talk to them about. Alternatively, it might be possible to host it with native WordPress functionality but I'm not familiar enough with WordPress to say either way.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/visual-tools/tm-globe/issues/7#issuecomment-328268673, or mute the thread https://github.com/notifications/unsubscribe-auth/AGYc88DWAthP00d3S8qWQ8JunDEet79lks5sgmglgaJpZM4PO0-T .

christopherreay commented 6 years ago

iframes have literally zero security concerns, as defined by browser sandboxing

the iframe filteringoutness is to stop people posting content with iframes in it, not to stop developers including iframes in pages

christopherreay commented 6 years ago

Iframes do not suffer from cross site scripting issues. They are memory wise, seperate browser tabs

christopherreay commented 6 years ago

I have relatively good nginx-fu

christopherreay commented 6 years ago

What Im getting from this is that tm use wordpress (a good choice in today's ecosystem).

https://en-gb.wordpress.org/plugins/iframe/

check out the embed feature bulit into wordpress core as described there

this, for example, is completely untrue: http://www.wpbeginner.com/glossary/iframe/, since an iframe would suffer crosss site scripting issues if it wasnt window.location at the host server. If your wordpress site has been hacked already, iframes have nothing to do with "backdoors", since the backdoor already exists

TapdancingRodent commented 6 years ago

Oh magic, looks like iframes are the way to go then.

As it happens I'd actually read that iframe page before and misinterpreted it as "iframes were removed" rather than "iframes use a different tag" so thanks for clearing that up =)

christopherreay commented 6 years ago

do we need to do this today?

johnkellas commented 6 years ago

No. Tomorrow pm (am american time)

christopherreay commented 6 years ago

The point here that you are missing from the endmic ecosystem of "wordpress", is that people cant POST content with iframes in it, NOT that developers cant INCLUDE iframes in content