Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
I guess there's also the "redesign not to have iframes" hot take, which you may have discarded at first, but maybe there's a way, if contrived, to make it work that is more robust longer term
1
Right. This is for Orbit, obviously. I can make it work better if the publisher’s willing to let me execute JS, but that’s often not possible: I’d like Orbit to be embeddable in Medium, Notion, WordPress, Confluence, etc, and that means sandboxed iframes.
2
1
3
What about an SDK they control, and you expose an API on your end?
1
That SDK exists, and it’s called Embed.ly! :) To get a special deal giving me what I need is definitely out of scope until world domination plans are further along…
2
But make an Orbit-React one, put it in github, all the cool kidz will love it :p
1
I already have, minus the Github part! :) If you’re self-hosting or whatever, then yeah, we can collaborate with the first party to create a better experience.
1
1
Hm I guess if you want universal embeddables then yeah there is no escape; I was thinking say getting Notion to have an special Orbit widget that is just a bunch of HTML and talks to the Orbit backend via an api key unique to the user
1
Replying to
Unlikely to happen anytime soon, I expect! But yeah, maybe we can make some middleware for interested second-parties.