Problem
When creating a Dioxus desktop application on Linux, it's currently impossible to communicate with a cross-origin iframe that uses a postMessage-based API, such as the YouTube IFrame Player API.
Attempting to control the iframe from Dioxus code results in a security error in the console:
Unable to post message to <some_origin>. Recipient has origin dioxus://index.html.
This behavior is specific to Linux (using WebKitGTK). The exact same code works perfectly on macOS (using WKWebView), which suggests a difference in how the underlying WebView handles security policies for custom protocols.
Steps To Reproduce
Steps to reproduce the behavior:
- Create a new Dioxus desktop app.
- Add a component that embeds a YouTube
iframe with enablejsapi=1.
- Add a button that attempts to call a JavaScript function on the iframe's context using
eval, for example, window.player.pauseVideo().
- Run the app on Linux.
- Open the WebView developer console and observe the security error upon clicking the button.
div { class: "modal-box w-11/12 max-w-5xl",
h3 { class: "text-lg font-bold", "Media Preview" }
div { class: "pt-4 w-full h-full",
iframe {
id: "youtube_preview_iframe",
class: "w-full h-full aspect-video rounded-xl overflow-hidden",
src: "https://www.youtube.com/embed/{video_id}?autohide=1&enablejsapi=1&fs=0&modestbranding=1",
allowfullscreen: false,
allow: "encrypted-media",
}
}
div { class: "modal-action",
form { method: "dialog",
button {
class: "btn",
onclick: move |_| {
eval(
r#"
window.player.pauseVideo();
"#,
);
},
"Cancel"
}
}
button { class: "btn btn-accent gap-2",
ClapperboardIcon { class: "size-5" }
"Extract Frame"
}
}
}Expected behavior
Communication between the Dioxus application and the YouTube iframe should be successful on Linux, just as it is on macOS. Clicking the button should execute the JavaScript via eval() without any cross-origin security errors, and the video should respond accordingly (e.g., pause).
Screenshots
Environment:
- Dioxus Version: 0.6.0
- Rust Version: 1.87.0
- Platform: Linux Fedora 42 (WebKitGTK)
- Render Target: Desktop
Problem
When creating a Dioxus desktop application on Linux, it's currently impossible to communicate with a cross-origin
iframethat uses a postMessage-based API, such as the YouTube IFrame Player API.Attempting to control the iframe from Dioxus code results in a security error in the console:
Unable to post message to <some_origin>. Recipient has origin dioxus://index.html.This behavior is specific to Linux (using WebKitGTK). The exact same code works perfectly on macOS (using WKWebView), which suggests a difference in how the underlying WebView handles security policies for custom protocols.
Steps To Reproduce
Steps to reproduce the behavior:
iframewithenablejsapi=1.eval, for example,window.player.pauseVideo().Expected behavior
Communication between the Dioxus application and the YouTube iframe should be successful on Linux, just as it is on macOS. Clicking the button should execute the JavaScript via eval() without any cross-origin security errors, and the video should respond accordingly (e.g., pause).
Screenshots
Environment: