Restore Present view that doesn't allow phishing

[sflanker]

Seriously, I don't understand why the solution these issues:

• P5.js is no longer support the option present ?! #1970
• Antivirus software blocking editor from running sketches #1965

isn't obvious!

Just look at what OpenProcessing does:

<iframe src="https://openprocessing.org/sketch/1165174/embed/?plusEmbedHash=NWEzMDU1MGZmMzAwNjhmMjhmODRlYmFhM2QxYmY4Mjc3MWE2NmI4NmRlNGYzMDg2YTEzYTdhYzgwYjgzMWI4NTIwY2IxNzkxNTFlNjg4OTBlOTYwMGUxMjJmYzQ4M2E4NmMyMjcxNjc3MTc1ODFkMWFkNWZiMzQxMjEzOTNlN2NYYzVHYVRWY3JOUGFXdlFYdm9HaG5OQ2JnejZyN2xNMkNHT1A2TEFuYTB0VEZWU1RpbkdVc3VUbklzZmNXMHZWZE03ODFZUy9iaHR5SjJ0OWJFdGdHdz09&plusEmbedTitle=true" width="600" height="600" frameborder="0"></iframe>

• Use an iframe within an iframe.
• The container iframe should display a banner that clearly identifies the site, owner of the sketch, and name of the sketch.
• Make sure you request the URL for the actual sketch via a mechanism that the HTTP spec requires browsers to send a Origin header for
• Have your server return a 404 on any requests for sketch content that do not have a valid Origin header for your domain.
• Maybe add restrictions on the iframe that prevent it from going fullscreen.

Voila you can host user content in such a way that it will always be obvious to the person viewing the page that the content they are seeing is a p5js.org sketch, and not some other website (or page on your website), thus no legitimate phishing concerns.

Importantly, do not require cookies for this page to load (as is currently required for editor.p5js.org). The absolutely ridiculous banner that is mandated by the equally ridiculous EU parliament is horribly obnoxious and makes iframes that use editor.p5js.org URLs totally unusable.

[kjhollen]

Hi @sflanker thanks for the suggestion. We have a very small team—just a single developer—so please be respectful and patient with us as we work through possible solutions. What seemed most obvious to us last week was pulling the feature that was causing harm. At this time, we are not sure when or if we plan to restore the bannerless previews. Thanks for your understanding.

[sflanker]

Right, sorry I was hasty. It was a knee jerk reaction to what I think was originally a knee jerk reaction (taking down preview.p5js.org). My disappointment was compounded by the recent introduction of the cookie accept banner (which, I get it, isn't your fault, it's the EU's fault).

To be clear, I don't think you/we/the community should restore the banner-less behavior of preview.p5js.org, because I guess that can be used to make a p5.js sketch that looks like another *.p5js.org page such that a naive user might attempt to login to p5js.org via some faked UI and thus expose their credentials to a malicious sketch, and I completely understand that you don't have the bandwidth to police every sketch on the site. What I'm proposing is that sketches embedded via the preview.p5js.org have a minimal but clear banner identifying the website/sketch/author, but not require any cookies whatsoever to obviate the insidious accept cookies banner. I understand that while this solution may seem obvious to me, it will take time and effort to implement, test, and release. So I understand that the knee jerk reaction might have been necessary in the short term.

Having run into these types of antivirus blocks before on sites I manage, I do think that sometimes they are overly hasty to block a domain because a few users got confused and misreported things, against which legitimate site operators have little defense except to wade the the tiresome bureaucracy of these big "security" vendors. However, it sounds like in this case there may of been some legitimate abuse.

Another approach that might help would be to subdomain every sketch's preview URL: sketch-id.preview.p5js.org thus allowing security software to be more specific when flagging a malicious page. However I'm not sure how effective that would be, or how feasible in the context of your infrastructure.

If I find myself with some free time I would happily try to contribute some effort to solving this problem, but until that happens I will be patient.

Thank you for your efforts on p5js.org

[catarak]

Thanks for the suggestions, @sflanker. I see that seemed like a knee-jerk reaction to take down preview.p5js.org, but I had been inundated with phishing reports for the past few weeks, and on Friday had received an especially large number. I wanted to come up with a quick fix to stop the issue, and then figure out a long-term solution.

[catarak]

The cookie popup has been removed from the embed/full view. I'm going to leave this issue open to discuss options for bringing back the Present view that prevents phishing.

[catarak]

Some of the reasons for needing a Present view (fullscreen sketch without a header):

1. Using bluetooth (Can not use WebBluetooth function. #1900), you can't use web bluetooth from an iframe with a different domain.
2. For previewing on mobile

Perhaps there's a way to create a temporary url, or a password-protected url that supports these uses?

[sflanker]

For my purposes, the removal of the cookie banner from the full screen embedded sketches (like this one), is perfect. Thank you!