#sandstorm on 2024-04-18 — irc logs at libera.irclog.whitequark.org

2023-10-24 18:17 ocdtrekkie changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things Sandstorm and Cap'n Proto. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev | Channel logs available at https://libera.irclog.whitequark.org/sandstorm | Note that many community members are on #sandstorm:libera.chat on Matrix, and the bridge is currently disabled.

01:02 larjona has quit [Quit: No Ping reply in 180 seconds.]

01:03 larjona has joined #sandstorm

15:50 tian2992 has quit [Remote host closed the connection]

18:50 <jfred> Hmm. Question for y'all - I just tried embedding a Sandstorm grain in a Matrix widget, but got denied due to an X-Frame-Options header. Is it possible to embed a Sandstorm grain into another site/webapp like this? (I guess I could rewrite X-Frame-Options in my web server... security ramifications there?)

18:52 <jfred> It's a private Matrix room so my intent is for that grain to be accessible by all members of the room. (It's a SandCal grain)

20:28 <TimMc> jfred: Hmm... looks like it's not configurable. And it's all in C++ so I don't know what your appetite for a patch would be.

20:29 <jfred> If it wouldn't be a security disaster for some reason I might just have my reverse-proxying web server strip the header

20:29 <TimMc> If you needed to add an exception, my recommendation would be to rewrite the Content-Security-Policy header to add a frame-ancestors directive, as that would override the XFO header.

20:30 <TimMc> What origins would you need to allow? I don't know what Matrix widgets are, but in Matrix this would have to work from a bunch of origins, right?

20:32 <jfred> Right, any Matrix client I think - and I'm not actually even sure what this really means for e.g. desktop Matrix clients

20:36 <jfred> (although Element Desktop is the first client I tried to view the widget with and it does seem to refuse to embed it - it's Element Web in an Electron shell)

20:40 <TimMc> Hacky idea: Single-page website that just serves that one sharing link.

20:40 <TimMc> (on an undiscoverable URL, and with appropriate CSP header etc.)

20:45 <jfred> heheh, could work

20:46 <jfred> I wish there were an "embeddable" checkbox or some such thing when creating a sharing link

23:03 tian2992 has joined #sandstorm

23:19 tian2992 has quit [Remote host closed the connection]

23:24 tian2992 has joined #sandstorm