ocdtrekkie changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things Sandstorm and Cap'n Proto. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev | Channel logs available at https://libera.irclog.whitequark.org/sandstorm | Note that many community members are on #sandstorm:libera.chat on Matrix, and the bridge is currently disabled.
larjona has quit [Quit: No Ping reply in 180 seconds.]
larjona has joined #sandstorm
tian2992 has quit [Remote host closed the connection]
<jfred>
Hmm. Question for y'all - I just tried embedding a Sandstorm grain in a Matrix widget, but got denied due to an X-Frame-Options header. Is it possible to embed a Sandstorm grain into another site/webapp like this? (I guess I could rewrite X-Frame-Options in my web server... security ramifications there?)
<jfred>
It's a private Matrix room so my intent is for that grain to be accessible by all members of the room. (It's a SandCal grain)
<TimMc>
jfred: Hmm... looks like it's not configurable. And it's all in C++ so I don't know what your appetite for a patch would be.
<jfred>
If it wouldn't be a security disaster for some reason I might just have my reverse-proxying web server strip the header
<TimMc>
If you needed to add an exception, my recommendation would be to rewrite the Content-Security-Policy header to add a frame-ancestors directive, as that would override the XFO header.
<TimMc>
What origins would you need to allow? I don't know what Matrix widgets are, but in Matrix this would have to work from a bunch of origins, right?
<jfred>
Right, any Matrix client I think - and I'm not actually even sure what this really means for e.g. desktop Matrix clients
<jfred>
(although Element Desktop is the first client I tried to view the widget with and it does seem to refuse to embed it - it's Element Web in an Electron shell)
<TimMc>
Hacky idea: Single-page website that just serves that one sharing link.
<TimMc>
(on an undiscoverable URL, and with appropriate CSP header etc.)
<jfred>
heheh, could work
<jfred>
I wish there were an "embeddable" checkbox or some such thing when creating a sharing link
tian2992 has joined #sandstorm
tian2992 has quit [Remote host closed the connection]