Chat embed iframe code has a serious and glaring issue.

[Jaxel]

Lets say on my website, I create a bbcode for users to embed twitch streams/chat in their posts... so if someone types:

[twitch=chat]channel_name[/twitch]

it will put in their post:

< iframe frameborder="0" scrolling="no" id="chat_embed" src="http://twitch.tv/chat/embed?channel=channel_name&amp;popout_chat=true" height="500" width="350"></iframe >

This works great, except for one glaring issue... spelling errors. Lets say someone spells their channel name wrong and ends up putting in a channel_name that doesn't exist. The iframe will embed on the page, and then twitch will take control over the ENTIRE page and forward it to a "This channel was not found page". Since this iframe forward happens pretty much immediately, no one on my site can read that page anymore, and the user who misspelled cant even click the edit button to fix their post before they get forwarded.

[hayksaakian]

could you validate that the name exists before generating the embed code?

[moocat]

This is also a problem when the servers are unstable and the iframe breaks. Not too long ago there was a change to the Twitch backend, and when you did the URL without the "www." the iframe couldn't redirect properly. This meant that the iframe directed to Twitch, and thus any page that had a chat embed on it was forcefully redirected from the original site to Twitch.

This is definitely not something that should be possible with an embed, but if you want to prevent this frame busting yourself you can follow this http://www.codinghorror.com/blog/2009/06/we-done-been-framed.html
With that you should be able to detect the frame busting and either redirect to your own error page, or maybe destroy the iframe.

[hayksaakian]

I'd also suggest checking out

http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

Regarding sand boxing of iframes,

[Jaxel]

Nothing you guys are mentioning are feasible in this situation.

[mpoon]

Here's a fix: http://stackoverflow.com/questions/369498/how-to-prevent-iframe-from-redirecting-top-level-window

Use the onbeforeload property.

[Jaxel]

I still don't see how any of the posted responses fix this issue.

The issue is simply, if you put the chat embed code and mispell the name of your channel, it will ruin the page. Adding an onbeforeload property to all my pages is just not a feasible option. This issue needs to be fixed on Twitch's end.

[Myrathi]

I don't like to be mean but I'd say the solution to that one is to not misspell the name of your channel, in the first place. ;)

[mpoon]

Can I ask why the solutions of either doing a channel check beforehand or implementing onbeforeload don't work for you?

[Jaxel]

Doing a channel check doesn't work because bbcode is created on the fly. It just takes the content of the bbcode and places it in the appropriate spot in the HTML. Nothing is ever stored in the database; so this check would have to be done in EVERY page load, which would slow down the website due to cURL operations, as well as repeatedly ping the twitch API.

onbeforeunload would not be a valid option because as I said before, this is on a forum. In order to use the onbeforeunload in this situation, it would have to be implemented on every page. There is no reason to add this prompt and frustration for users on every page load; especially if that page does not even have a twitch embed on it.

When it comes down to it, this is a bug on twitch's end and needs to be fixed on twitch's end. Its very easy to do customized 404s without full page forwards.

[mpoon]

We pushed out a fix to this. 404s should no longer bust out of the chat embed iframe.