Open deathcap opened 10 years ago
deathcap
commented
10 years ago npmjs.org, which I was using as the default example URL, has now set X-Frame-Options: deny. Maybe as part of their recent security audit http://blog.npmjs.org/post/80277229932/newly-paranoid-maintainers - but this now prevents this example from working :(
deathcap
commented
9 years ago ref GH-6 WebKit.js for rendering embedded web views instead of iframe
Added https://github.com/deathcap/voxel-webview/blob/master/default.html with some non-"X-Frame-Options: deny/sameorigin" website links. http://cors.maxogden.com is running a cors-proxy but using it is not as simple as http://cors.maxogden.com/http://www.google.com/ - need to use XMLHttpRequest to request programmatically. And also rewrite all the embedded links or external references.
Many popular sites use the X-Frame-Options HTTP header to prevent being loaded in an
iframe, so they cannot be viewed with voxel-webview.https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options http://stackoverflow.com/questions/6666423/overcoming-display-forbidden-by-x-frame-options
Some have specific 'embeddable' versions, e.g. for YouTube: http://www.youtube.com/embed/j6cxZp4ii6c?autoplay=true
or Vimeo player, Google Maps &output=embed, or http://embed.ly/ - but this doesn't apply in general. Unable to load https://news.ycombinator.com/ (deny), http://reddit.com/ (same-origin), among others.
The Web Displays modifcation for Minecraft can do this because it embeds its own web browser, apparently: Awesomium (but maybe WebKit in the future?).
An extreme alternative: webkit.js (article), a pure JavaScript port of WebKit which can run the browser and output to canvas. But it not complete (likely doesn't support WebGL yet ;), and it seems more reasonable to use the browser's built-in functionality.. https://github.com/deathcap/voxel-webview/issues/6
A more moderate workaround: use a proxy, similar to CORS Proxy which adds the Access-Control-Allow-Origin header (actually, could even use this and then set the iframe contents?), but instead have it strip the X-Frame-Options header (should probably strip cookies too).