keycombiner icon indicating copy to clipboard operation
keycombiner copied to clipboard

Published 20 hours ago verified publisher icon tkainrad

Allow to embed KeyCombiner in iframes

Open tkainrad opened this issue 2 years ago • 1 comments

Requested via mail

Currently, KeyCombiner's CSRF protection prevents embedding it in iframes. Check how iframe embedding can be allowed without compromising on security.

tkainrad avatar Oct 02 '21 19:10 tkainrad

I have played around with this a bit. Some potential issues

  • The Keyboard.getLayoutMap() API is only available from a top-level browsing context and will not work in an iframe. Users might not be aware.
  • KeyCombiner can detect if the client is the official desktop app and then allow to practice browser shortcuts. This does not work with iframes embedded in other desktop software, such as Obsidian.
  • Tools like Notion seem to only embed certain apps as iframes. Even if KeyCombiner would allow embedding, it would likely not work in Notion and many other apps. I did manage to get it to work for Obsidian though.

Will have to do some more research on the security implications - specifically allowing session and CSRF cookies to be sent cross-site.

tkainrad avatar Oct 03 '21 08:10 tkainrad