[Request] CORS between domain and subdomains, and cross-subdomains
I'm not too studied-up on CORS, but I know what it's there for. Currently there's a number of things that are not possible to do because our generator is on a different subdomain than other generators or iframes, etc. etc. and even the top-level page we're actually on.
With that allowed (I think CORS can allow this), there's a lot more customisation we can do of things like t2i image iframes and gallery iframes, reading/changing the top-level url, etc. Maybe that's something you don't want to allow, but I for one have wanted to do these things for completely benign legit reasons multiple times.
To help me understand, can you give an example of what you're trying to achieve? Note there's perchance.org/super-fetch-plugin which can bypass CORS if you're just trying to fetch a cross-origin resource that doesn't have the appropriate CORS headers.
Stuff like reaching into an iframe and messing about with it. I want to remove the gallery buttons in my plugin pages for example. While yes, you could add that feature, I could do it fairly easily myself I think--if cross-subdomain access was allowed.
Also, an image generator I'm working on takes in url parameters. I wanted to be able to clear them after processing using history.pushState, but as that would reach across into the main perchance.org domain it's disallowed.
I'm not 100% sure it's CORS that would allow this, but I'm sure there's some way of telling the browser it's cool.
I want to remove the gallery buttons in my plugin pages for example
that would reach across into the main perchance.org domain it’s disallowed
Allowing general-purpose cross-domain access like this is not possible, since it would allow very easy login credential stealing, and stuff like that, but these particular things that you've mentioned are good suggestions.
RE gallery button: You're talking about the "send to gallery" and the "open gallery" buttons in the menu after clicking the heart button, right? Would something like this work?
promptData
prompt = ...
hideGalleryButtons = true
I have needed history.replaceState before myself, but haven't gotten around to properly thinking about it. I think it should be fine to allow a generator to change the query parameters and hash (i.e. everything other than the pathname - since otherwise could 'spoof' other generators/pages). Can you let me know your specific use case to help me triangulate on a good approach here? Do you specifically need pushState? Or will replaceState do? I'm reluctant to add pushState because it can be used ~maliciously - like the spammy sites that effectively hijack your back button to prevent you from leaving the page (or at least, make it require an extra click or two).
I’m new to Perchance but I do have over an entire decade of Programming experience. I understand what you’re saying and I also understand what you’re trying to achieve. However, as I’ve not been Programming for like four (4) years now; things have changed, updated and been deprecated since I last done such.
But, as far as I’ve noticed within the last few years the “Global Browsers” seem to be weaving out or deprecating iframes <iframe></iframe>. So, ultimately— if they have been deprecated as everyone was saying they would be; it may be out of Perchance’s scope of generating those iframes if they’ve been removed from the browsers “compatibilities” or “supported features”.
However, on the CORS side of your post CORS stands for Cross-Origin Resource Sharing (CORS) which isn’t injectables (there’s a workaround via JavaScript (I’d recommend jQuery) which can “simulate” granted CORS but it’s limited “per Origin” based on their “Strict” limitations). Which means, you can’t Cross-Origin into someone’s Strict Resource Sharing; but if they explicitly “don’t add” or “forget” or “allow” then your jQuery “simulation” should allow you to cross into their CORS.
The possibility of a successful CORS may be half to less than half depending on the REST Securities those infrastructures may or may not have in place.
—————————————————————————————
Breakdown:
You can try to simulate a CORS relationship with jQuery (or whatever JavaScript “custom” Perchance uses) but it might fail more than succeed —it depends on who you’re implying CORS to, why and how.
Just so you know, iframes are pretty much how all of perchance works. So yeah... they're fine with iframes 😅
As for CORS and such, yeah I'm not completely up to speed with it either. Just handing it over to the dev who's in here too, to figure out how they want to handle such things, if at all. We've been discussing various methods without CORS that would still expand the capabilities to do interesting/useful (but safe) stuff.