metacatui icon indicating copy to clipboard operation
metacatui copied to clipboard
verified publisher icon NCEAS

Using fact that Markdown supports inline HTML to have iframe on portals possible ?

Open yvanlebras opened this issue 2 years ago • 3 comments

Describe the feature you'd like Having the possibility to use an iframe HTML tag on markdown pages from portals to embed external websites

Is your feature request related to a problem? Please describe. It seems markdown can do it, but testing it on a portal don't works. I guess there is a security ""firewall"" on metacatui who avoid this? Can we deactivate such ""firewall"" easily? Or maybe there is ohter ways to embed external web content into portal markdown pages ?

yvanlebras avatar Oct 25 '23 23:10 yvanlebras

Hey @yvanlebras -- I agree that would be great. The constraint is due to security issues for executable content and XSS attacks. Here's a quick overview of some of the issues: https://showdownjs.com/docs/xss/ In metacatui, what is filtered out is somewhat configurable, but @robyngit may have thoughts on what is and isn't feasible. If you control and trust who is editing the portal, then its reasonable to open it up further, but for us most of our sites allow arbitrary people on the internet to create and edit portals, which means we need to be more careful. We have several related feature requests, such as to allow embedded visualizations such as Shiny apps. See https://github.com/NCEAS/metacatui/issues/1383

mbjones avatar Oct 26 '23 00:10 mbjones

@yvanlebras we have been discussing this issue for a long time: the need to enable more types of content in portals vs. the risks involved with embedding external content.

One way to mitigate the risks and still enable <iframe> content could be to allow content only from a set list of trusted domains. We could either enforce this at the point at which the markdown is rendered into HTML (browser-side) or when the request is made (server-side, via a Content Security Policy (CSP)). The downside is that this would involve compiling a list of domains that have content that users want to include, ensuring those domains are trustworthy, then monitoring them over time, all of which could become tedious and time consuming...

I'm open to other ideas on how we achieve this! What types of external content are you hoping to be able to include in portals?

robyngit avatar Oct 26 '23 22:10 robyngit

Hi Matt, Robyn, come back to this issue with a "domain" oriented point (when my original question was to open any kind of sources to be included) who can be of particular interest for metacat/metacatui as it is relying on well known open source communities and continental wide trusted services by open sciences clouds at least in Europe and Australia. Here I am thinking about continental Galaxy servers and possibility to embed Galaxy workflows into website through iframe as showed in this blog post https://galaxyproject.org/news/2024-04-26-workflows-workflows-workflows/ . Here an example on a online markdown editor from usegalaxy.eu instance https://codimd.math.cnrs.fr/wvsIeWo3QLKGNjmZXHP0IQ?view

yvanlebras avatar May 16 '24 10:05 yvanlebras

@yvanlebras I'm going to merge this issue with #1383, supporting embedded viz tools in portals. This issue is on our road map. If you have more ideas about how to safely embed visualizations from external sites, and what types of visualizations would be useful in addition to Galaxy workflows, please add your comments to #1384. Would love to hear your ideas!

robyngit avatar Jun 27 '24 21:06 robyngit