Feature suggestion: Use service worker where cross origin is not applicble

[YoniChechik]

This idea is based on react-py https://github.com/elilambnz/react-py

In case you don't want to have coi (e.g. a webpage with a youtube frame embedded), in react-py it will fall back to use service worker for interactivity and off main work.

My suggestion is to build something similar here, that will also work with py editor in pyscript and will make a larger crowd accessible to this amazing work.

[WebReflection]

we use mini-coi quite successfully already: https://github.com/WebReflection/mini-coi#readme

more on that here: https://docs.pyscript.net/2024.5.2/user-guide/workers/#http-headers

P.S. the live demo here also uses mini-coi via GitHub pages

[YoniChechik]

Hi @WebReflection. I'm aware of mini-coi, but as I understand it forces the coi headers on websites. What if I have a case in which I don't want those headers (e.g. embedding youtube)?

[WebReflection]

@YoniChechik it's really binary ... you either have those headers or you won't have SharedArrayBuffer.

If you don't want SharedArrayBuffer you can follow the docs: https://docs.pyscript.net/2024.5.2/faq/#sharedarraybuffer

Please note no SAB means:

• you can't access the main thread JS side of affairs from workers as you do now
• you can only await worker exposed sync features from the main
• PyEditor won't work, PyTerminal will work in read-only mode (for the time being)

[WebReflection]

btw, frames don't get to have same privileges of the embedder ... so I am not sure what is the issue that we are discussing here ... do you have any concrete example that doesn't require me to install 3rd party tools that explains what is it that is problematic to you? Thanks!

[WebReflection]

P.S. the mini-coi is opt-in and cannot be embedded via a module out of the box because service workers require a non-module script to bootstrap and the sooner for that, the better, but also as those headers, with or without Service Workers, might have some security concern/implication, I am not sure it's even a good idea to fallback automatically to a service worker or where to grab that service worker from ... maybe a Blob URL works too but I wonder if you could share any experience around this as we might want to automate the dance when we can or if it's configured as such via config.toml or config.json, thanks!

[YoniChechik]

Sorry for the late reply @WebReflection.

Let's consider that I want to build a website with interactive Python sessions that require user input. Each page has some interactive Python sessions along with a video to go along with it. Here is the problem: I can't have Cross-Origin Isolation (COI) and also embed YouTube videos if I want to use "coincident."

COI requires Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp, which prevent YouTube videos from being embedded because YouTube doesn't provide the necessary CORP headers. This creates a conflict where I need the security benefits of COI but also need to embed videos from YouTube.

Looking for advice on how to handle this situation while maintaining both interactive Python capabilities and video content on the same page.

[WebReflection]

@YoniChechik is that so though? https://pyscript.com/@agiammarchi/embedded-youtube/latest add credentialless to your iframe and you're good? 🤔

[YoniChechik]

WebKit/standards-positions#45

It seems that firefox and webkit doesn't support this

[WebReflection]

@YoniChechik I am not sure how to help here ... you have a solution for 90% of the Desktop browsers and 50% of the mobile one ... the SharedArrayBuffer feature requires those headers, sites are in charge of allowing those or not ... how do you expect me to contribute or help?

[WebReflection]

btw, if the idea is that I should fallback to synchronous XHR that's a dead standard and a lot of effort for imho very little gain, it bloats the code due branching logic and it makes Atomics pointless on that branch ... I think comlink has that so use comlink if that's your cup of tea but I don't think it's worth adding complexity with a Service Worker that needs to be on the domain (to orchestrate sync requests) and makes things more clunky, not less, because some website doesn't want to allow their embeds in other sites ... and they have the rights to do so, just like CORS worked to date.

We can put a "work best in Chrome" these days without shame and use still standards that make things work ... it's up to FF and Safari keep ignoring these APis but circumventing primitives is not a great path forward to me.

Of course if my team decides it's a must have I might have enough time to think about it, I was planning to simplify and rewrite coincident at some point anyway, but until then I am not sure I should push for it as I don't like the idea much myself. I hope this makes sense but if there's anything else I can hep with, please let me know.