iframe.diy
Run any web app inside a sandboxed iframe where your page controls everything: every file the app loads, every API it can call. No server required.
How it works
Each app gets a unique subdomain
(<id>.iframe.diy) for origin isolation. A Service
Worker inside the iframe proxies every fetch request back to your page
via postMessage. Your page decides what to serve and what
to inject.
Parent Page iframe.diy Frame
┌──────────────┐ postMessage ┌─────────────────────────────────┐
│ │ (JSON-RPC 2.0) │ Outer Frame │
│ Serves files │ ◄─────────────────► │ ┌─────────────────────────┐ │
│ via fetch RPC│ │ │ Inner iframe │ │
│ │ │ │ App runs here │ │
└──────────────┘ │ └─────────────────────────┘ │
│ sw.js ─ proxies fetch → parent │
└─────────────────────────────────┘Why?
- Embed untrusted or third-party web apps without giving them access to your origin
-
Polyfill APIs like
window.nostr, inject configuration, or add monitoring - Modify app behavior without touching its source code
- All client-side — no server infrastructure needed