Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
I guess there's also the "redesign not to have iframes" hot take, which you may have discarded at first, but maybe there's a way, if contrived, to make it work that is more robust longer term
1
Replying to
Right. This is for Orbit, obviously. I can make it work better if the publisher’s willing to let me execute JS, but that’s often not possible: I’d like Orbit to be embeddable in Medium, Notion, WordPress, Confluence, etc, and that means sandboxed iframes.
That SDK exists, and it’s called Embed.ly! :) To get a special deal giving me what I need is definitely out of scope until world domination plans are further along…
2
Show replies