Extending the iframe whitelist

[Marc DiPasquale]

Hi, 

When embedding iframes it would be nice if there was a way to extend the whitelist with custom domains or by default allow all and maybe build up a blacklist. We're using codelabs to create "how to tutorials" for devs using our technology and need to whitelist our domain and the domains of some of our partners to embed iframes but it would feel weird to start to request those domains be whitelisted at the top level in the claat tooling. Thoughts on how this can be accomplished? 

thanks,

Marc

[Marc Cohen]

Hi Marc,

I would consider forking the repo and maintaining your whitelist in a private copy, while resynching the main repo periodically to pick up new features. Another option would be add a "private whitelist" command line option to the main repo. That would be a little more work, although not a huge undertaking, and it would solve both problems in one executable. Yet another option would be an override whitelist, i.e. anything goes for iframe URLs. That's probably easiest of all but also the most vulnerable to security problems.

Marc

--
You received this message because you are subscribed to the Google Groups "codelab-authors" group.
To unsubscribe from this group and stop receiving emails from it, send an email to codelab-autho...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/codelab-authors/e0cffd07-14b3-44d4-bb1b-bf7585a35f61%40googlegroups.com.

--

Marc Cohen

Web: mco.dev

Email: m...@google.com

Working with me: go/mco-work

Q: Why is this email three sentences or less?

A: three.sentenc.es

[Marc DiPasquale]

Thanks for the ideas Marc. Will update this thread when we figure out what we are going to do. 

On Monday, May 18, 2020 at 9:15:20 AM UTC-4, Marc Cohen wrote:

Hi Marc,

I would consider forking the repo and maintaining your whitelist in a private copy, while resynching the main repo periodically to pick up new features. Another option would be add a "private whitelist" command line option to the main repo. That would be a little more work, although not a huge undertaking, and it would solve both problems in one executable. Yet another option would be an override whitelist, i.e. anything goes for iframe URLs. That's probably easiest of all but also the most vulnerable to security problems.

Marc

On Fri, 15 May 2020 at 20:16, Marc DiPasquale <marc.j....@gmail.com> wrote:

Hi, 

When embedding iframes it would be nice if there was a way to extend the whitelist with custom domains or by default allow all and maybe build up a blacklist. We're using codelabs to create "how to tutorials" for devs using our technology and need to whitelist our domain and the domains of some of our partners to embed iframes but it would feel weird to start to request those domains be whitelisted at the top level in the claat tooling. Thoughts on how this can be accomplished? 

thanks,

Marc

--
You received this message because you are subscribed to the Google Groups "codelab-authors" group.

To unsubscribe from this group and stop receiving emails from it, send an email to codelab...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/codelab-authors/e0cffd07-14b3-44d4-bb1b-bf7585a35f61%40googlegroups.com.

[Dave Ghidiu]

Hi everyone! Is there a place to see the URLs on the allow list for iframes in CodeLab?

[Dave Ghidiu]

I guess this is it?

https://github.com/googlecodelabs/tools/blob/main/claat/nodes/iframe.go