It isn't one of those flags, it's same-origin policy. It depends on the individual web apps to implement an API which serves JSON.saso wrote:It is possible that some of the security flags for the website that we have set up recently are blocking this https://forum.freecadweb.org/viewtopic. ... 78#p174779 , we can test this by adding a hash (#) in front of individual flags to disable them, for example:yorik wrote:However, javascript is apparently forbidden to load contents from other domains than the one it is running from. That prevents from fetching stuff from the tracker or forum. The only exception is when using the JSON format, which AFAICS none of our webapps supports, only Github (that's why I was able to fetch the commits from github).
If any of you webgurus has an idea to remove that barrier, then we can do much more interesting stuff
Personally however, from security point of view, I don't really like putting all this web functionality in to FC. We are potentially giving users a very unsafe "browser" to access and browse the web with. IMO there are some possible real dangers here. IMO it is better if users browse the web from their hopefully updated browsers.Code: Select all
#Header always set Content-Security-Policy "frame-ancestors 'none'" #Header always set X-Frame-Options "deny"
It just so happens MantisBT did this recently. MediaWiki also has one, but phpBB does not, from what I can see. There's a plugin that hasn't had activity in ~3 years that may or may not work.
I agree with your last paragraph about security, though. Content displayed in FreeCAD displayed from the web should be minimized, if not for security alone, but also for the fact that it's kinda tough to make it look good when someone's offline.