P3D origin security
This article describes a deprecated feature as of Panda3D 1.10.0.
If you really wish to remove restrictions for the script_origin, you can set it to “**”, which means any host at all. We strongly recommend not doing this, for obvious reasons.
You can also set the script_origin to a semicolon-delimited set of origin strings; for instance, “www.example.com;example.com” would allow either www.example.com or example.com, but not any other variant.
You can set the script_origin with the -c parameter to packp3d, e.g.
A variant on the script_origin that is less often used is run_origin. This is a stronger restriction than script_origin; if a p3d file is hosted on a page that doesn’t match its run_origin, then the p3d file cannot be started at all. You can do this to prevent third parties from deep-linking your p3d file or otherwise running it out of its intended context. This is less of a security restriction, and more a usage restriction on your own content. (Of course, a malicious individual may make a copy your p3d file and modify the run_origin setting, to allow it to run on their own page. But they will have to re-sign it with their own certificate, since any modifications will invalidate your own signature.)
The default run_origin is “\**”, which means there is no restriction.
You can set the run_origin with the -c parameter to packp3d, e.g.