Hi,
I ran into an issue that all my legacy models that use external geometry did not work anymore. It turns out that loading external geometry files is only allowed for very few source domains:
We introduced a content security policy that restricts the allowed URLs for connect-src to the ones you listed about a month ago. This was done in order to strengthen the security of the ShapeDiver Platform and prevent leakage of personally identifiable information. The change does not affect the functionality of web applications that embed our viewer, but as you explained it restricts where external geometry can be loaded from when viewing models on the platform. We have plans to also remove *.s3-accelerate.amazonaws.com from this list, once our systems have been updated to support this.
Please let me know your use case such that we can come up with a potential workaround for you.
Hi Alexander,
thank you for your quick feedback. I think it is not helpful that you block this core functionality on the platform. Since all models needed to be uploaded on the platform first, the full functionality should be available there. When the model opens on the platform, I can trust that it will open on my embedded page. With the now changed behaviour, I can’t do that anymore.
Changing without notice is kind of bad practice. It gave me hard times during a client visit as all my models on the platform were not loading anymore and I did not know why.
Please consider the following:
Allow a whitelisting of certain domains to be sources for external geometry. This could be done similar to the embedding-whitelist. Maybe you can even use the same list.
Do a developer newsletter that describes all upcoming changes.
@mathias2 fully agreed with you that we should have given notice about this restriction before. We are about to roll out a notifications feature that will allow us to do this.
I am sorry that this change has caused interruption for you. We had to do it, because allowing connections to everywhere is a serious security problem for the platform.
Please let me know the precise domain you are loading models from. We might be able to add it to our CSP as a temporary workaround until we can offer another solution. Most probably the final solution will be an asset library integrated with the platform, which will allow our users to upload images, glTFs, etc.
Thank you for your two replies and for making this change. I confirm that my legacy models operate again.
If the asset library is the way forward, than be it. This still means that legacy modesl will stop operating and need an update. But for a lot of users, a built in storage space will ease things up a lot. Amazon S3 is overkill for some use cases. Again, thanks.