Cross-Origin Read Blocking (CORB) on Certain NFTs

[johnnycho]

It looks as if some NFTs (e.g. Ether cards, Canvas content) can only be rendered in the browser using iframe (this is how OpenSea displays NFTs like https://opensea.io/assets/0xf9a423b86afbf8db41d7f24fa56848f56684e43f/242).

It also looks as if many if not all sources that host NFTs have implemented a Cross-Origin Read Blocking (CORB) policy to protect their content from unauthorized use in iframes.

My understanding is that the only way to resolve this issue is for each NFT source (e.g. ether.cards, artblocks.io, etc.) to grant permission to the *.eth.xyz domain to use iframe to display their content. I wonder if this is how opensea.io is able to render everything in iframes -- because of the nature of opensea.io as a resource, maybe every site that serves up NFT content has granted permission to opensea.io to render their content in iframes?

Until then, to prevent NFTs from showing up as black squares or broken content on the *.eth.xyz profiles, the current solution is this: If the NFT is not immediately identifiable from the URL as a video (.mp4, .mov) or a 3D image (.glb, .gltf), *.eth.xyz will check the NFT source URL against a list of domains (e.g. ether.cards, artblocks.io, etc.) and if the NFT is hosted on one of these domains, *.eth.xyz will show a static still image. (All other NFTs will show a static image based on the image_url or image_preview_url.)

This is, of course, not an ideal solution because of the large number of potential NFT sources, and the possibility that some of these sources may host NFTs that do not require iframe to render in the browser.

Does anyone have any ideas/feedback on this issue?