Kivicube Docs

English

简体中文

Appearance

Production Deployment

When you integrate Kivicube Web content into a production environment, we recommend checking at least the items below.

1. The Host Page Must Be Reachable over HTTPS

This is the most basic requirement and also one of the easiest to miss.

If the host page is not on HTTPS:

  • the camera may not work correctly
  • compatibility in iOS, Safari, and in-app WebViews will get noticeably worse

2. Allow the Page to Embed the Official iframe

Your site does not need to share the same origin as Kivicube, but you do need to make sure:

  • the iframe display area is not accidentally covered by other layout layers
  • the allow permission attribute is not stripped away

The current plugin automatically fills in the default permissions required by the iframe, including camera, gyroscope, fullscreen, and more.

3. If You Use Security Policies, Allow the Relevant Domains

If your site has a strict CSP or frontend gateway restrictions, you usually need at least:

  • frame-src: allow https://www.kivicube.com
  • script-src: if you load the official script directly, allow that domain as well

4. Handle CORS for Dynamic Assets

If you call any of the following at runtime:

  • createImage(url)
  • createGltfModel(url)
  • createVideo(url)
  • createPanorama(url)
  • createEnvMapByHDR(url)
  • createXxx(url)

then the asset origin must allow cross-origin access from https://www.kivicube.com.

5. Test on Real Target Devices

At a minimum, validate:

  • iPhone Safari / WeChat
  • Android Chrome / WeChat
  • the in-app WebView of your target app

Do not launch just because it "opens fine" in a desktop browser.

6. Confirm Watermark and Authorization Status

Before launch, make sure:

  • whether the content has the standard watermark
  • whether the domain triggers the developer watermark
  • whether advanced APIs and non-default properties are all covered by authorization
  1. the real domain is reachable over HTTPS
  2. the scene or collection ID is correct
  3. event listeners and error fallbacks are wired in
  4. CORS validation is complete
  5. watermark and permission validation is complete
  6. real-device regression testing has passed