If you are open links like
https://CANISTER_ID.ic0.app inside IFrame of another app
https://PARENT_CANISTER_ID.ic0.app, then boundary nodes adds a response header
X-Frame-Origin: Deny and IFrame does not open. Is is sad
Maybe make adding this header customizable?
I am checking to see if it is possible to open a front-end canister link in the IFrame (in iframe in iframe) and I ran into a problem: the front-end canisters work in the IFrame only when they are loaded from
Note: In simple terms
raw means that the assets will be loaded “as is” without any data certification checks in the browser. And as it was said in other topics: in this case, data checks must be performed by itself
If you first open the link without
https://CANISTER_ID.ic0.app) in another tab (“warm up”), then this link starts to open in the IFrame of
This is because the service worker is already loaded, the service worker checks the certificates. At the next request for
X-Frame-Origin: Deny header is absent (which does not interfere with the display in the iframe)
I managed to get some of the service worker code for checking certificates from devtools, but I suspect that this is not the whole code. If you have to use
raw domain, then it would be nice to get the source code of the worker to independently connect to my canister.
Perhaps the header
X-Frame-Origin: Deny should save from
click-jacking, but that’s not entirely true. Because it turns out that if you use
raw links, then the IFrame opens and it loses its meaning. And if we take into “point 1”, then it becomes interesting: why was this protection used at all and what does it protect from?
If the certificates are verified (without
raw urls), no malicious code will get to the canister from the middle-node or malicious node. This means that the responsibility lies with the developers of the canister. They must make sure that no malicious code appears on their page. After all, you can’t slip a script from the parent window into the iframe, since these are different domains and the browser will block any manipulation with the IFrame. At the same time,
raw links works quietly in the IFrame, and without checking the certificates.
If I’m wrong - correct me please
let’s give the asset canister minimal ability to control the headers. For example, if the canister adds
X-Frame-ORIGIN: SAMEDOMAIN or
X-Frame-ORIGIN: "" to response, then the boundary nodes will not override that headers.
This will open up great opportunities for integrating canisters with each other.