-
-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose a Javascript API for non-iframe embedded usage #155
Comments
We think there may be some security issues with embedding bloom-player in a site without using an iframe, unless it is limited to reading books the site owner controls completely. Javascript embedded in the book would have complete access to everything in the host website. |
I think things can definitely be achieved using the iframe approach, but it can make things simpler just to have a Javascript API. The way that I would leverage this in a secure way embedded in another site would be first to have a sandboxed iframe served from a different origin - this would be embedded in the parent page, and communicate via the postMessage API to allow data flow in and out. Inside the sandboxed iframe, the bloom player would be initiated via the JS API, using parameters passed in via the postMessage API. Admittedly, a further iframe inside the sandboxed iframe could be used and the details passed in via the GET params, but the JS API would give a bit more flexibility to reactively update without a full page refresh. I did a first pass implementation of allowing the parameters to be passed into the
But had to make a separate build to export a library that did not auto-initialize the controls. I wonder if that initial call in |
That sounds a lot like what we're already doing. Bloom Player is already designed to live in a sandbox iframe and communicate with a host outside the iframe using various postMessage calls (look at externalContext.js if you haven't already) and to let other things be controlled by the iframe URL. |
Sounds good - yeah, this was just me playing around with the code to ensure I understood what each thing was doing, but your suggested implementation sounds good! |
Would be good to be able to do a conventional import on the NPM package for use in Javascript - with the options passed as an options object to the constructor.
Would be happy to take a stab at this if there's any interest! Looks like a great project, and the bloomPub format has some really exciting features!
The text was updated successfully, but these errors were encountered: