Open esaruoho opened 7 years ago
this might take a bit of untangling. my working copy references e.g. //localhost
as expected
<script src="//localhost:8000/scripts/embed.js" data-vizorurl="//localhost:8000/embed/eesn/six" ></script>
the reason we use //
instead of http://
or https://
is because some browsers e.g. Chrome, deny the parent frame (the page on which the embed happens) communicating with the child iframe created by embed.js (which shows the vizor experience), so iframeWindow.postMessage
fails, and relaying of e.g. devicemotion events fails, which has implications for mobile.
seems to be this snippet in app.js that forces the page to https but for the embed and embedded content it should keep to whatever the protocol was
app.use((req, res, next) => {
// Google Cloud Load Balancer: redirect to https if not secure
var fwdProto = req.get('x-forwarded-proto')
if (!fwdProto)
return next()
if (fwdProto !== 'https')
return res.redirect('https://' + req.get('host') + req.url)
next()
})
@kschzt Jaakko might you have a solution for this?
tag @kschzt we're forcing https on route(s) that should remain open to both http and https - the embed and embedded project need to keep the same protocol as the page on which the vizor project is embedded. hälp
Notice this is related to userpage sharing, not "in-patches-editor-sharing".
current embed code generation in profile_view ( http://vizor.io/esaruoho -> select project -> tap on Share) is missing http://vizor.io at the start
compare to what was launched way back when ( https://twitter.com/vizor_vr/status/731213475037466625 - officially posted on 13th of May 2016 on Vizor_VR) -
and you'll see that really, the embed code SHOULD be created with http://vizor.io/scripts/embed.js instead of only /scripts/embed.js
the user cannot be expected to figure this out on their own. (example of confused user: https://vizorvr.slack.com/archives/C0D7S35JQ/p1498874721217943 )