Embeddable mode #213

[aymanterra]

No description provided.

[ukutaht]

Wonderful. Really great job @aymanterra and @bradkane. Thank you so much!!

I am testing this out now and will be trying to get it across the finish line this week. Will probably pop my questions and comments in here as I go.

First, I made a pretty big change to how shared links work so that it uses a separate cookie from all the other session stuff we do. This allows us to have a SameSite=None; Secure cookie for shared links while being more strict for normal authenticated sessions.

This PR requires some rework in the plugs and routes and such to align with the new cookie stuff. I am happy to continue the work on this. The second thing I would probably want to change is moving the embeddable field from the site record down to the shared_link record. I think that's a more natural scope for the field. Let me know if you see any issues with that.

I did have a question about X-Frame-Origin - why restrict it at all? Generally speaking I get it, we don't want anyone to embed our settings page for example, because it opens up a clickjacking attack vector. But what if we disabled X-Frame-Option on the embedded endpoints and kept it everywhere else? I can't think of any attacks it would open up and it would allow embeds to work cross origin as I understand it. I might be missing something but I'll test this approach out.

[bradkane]

@ukutaht So glad you are (generally) pleased with the changes made. I agree with you that @aymanterra did a great job! I think your comments and suggestions are all great improvements. These are areas where deep knowledge of the architecture and code can make our work even better and it is terrific that you are adding your limited time to this effort as well. Let us know how we can help.

[ukutaht]

Closed in favour of #812