I’ve got some assets I’d like to run in an iframe in the background. This works when the project is published, but it doesn’t during development because launch.playcanvas.com has assets set to X-Frame-Options: DENY vs X-Frame-Options: SAMEORIGIN.
This makes editing and development a bit painful. It’s a bit silly because creating an iframe to a completely different domain works well (as it should) and doesn’t when the X-Frame-Options is locked down. The issue can be illustrated here:
The published version does work; the hidden iframe loads and one can see the console output “Some intensive CPU activity here…”. However, in Editor → Launch, causes a new tab to popup; the header indicates DENY. For security purpose, the nginx server could have X-Frame-Options set to SAMEORIGIN and this would alleviate the issue.
I found a quick work around was to simply host the needed assets for the iframe on an external domain. I guess one could also create a proxy project in playcanvas and just publish the assets that one needs for development but this is a bit cumbersome as the amazon cdn URL is unpredictable.
Import side note: The method getFileUrl returns a relative URL in launcher but returns an absolute URL when published. This should be consistent, and launcher needs to simply prepend window.location.origin. I.e.
// Returns 'https://s3-eu-west-1.amazonaws.com/apps.playcanvas.com/HSBSlcXy/..' at publish
// but returns '/api/assets/files/Library/Billboard/hello.html?id=656796' in launcher.
Please consider fixing this to always return a FQURL. A ticket has been created at:
Me and @yak32 investigated this and it’s going to require a bit more work than changing the X frame permissions due to the way that assets are served in the Editor/Launch tab, we’ve set them up so that they can be downloaded from the Editor