You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Whereas most social media generates embeds that includes the text content of a post, Mastodon's current option for embedding posts/activity/toots on other websites as a single iframe element linking to a page containing the content, which has three significant shortcomings:
incurring an overhead of > 1MB per page load containing an embedded post (slowing page loads and taxing the Mastodon server hosting the embedded content)
denying those embedding content the ability to format/style it (whereas federated social media typically allows endpoints to format/reformat shared activities)
creating a security hazard as the frame is implemented with both the allow-scripts and allow-same-origin attributes set, removing sandboxing. As a result, **a compromised mastodon server can compromise all web pages that embed content from it.)
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Content-inclusive embedding creates HTML elements to embed that include at least the written content of the post. That content can be rendered even if the server is unavailable, can be styled/formatted by the embedder, and gives embedders the choice to capture the post (content and counters) at a moment in time or keep it updated. Updating requires 1% of the network overhead of iframe-based embedding (3k for script + 1 API call).
The Mastodon v1 API already allows third-parties to support this approach, and as you can see from this proof of concept for generating content-inclusive embedding and the blog post accompanying it. However, better to make it first-party with default style sheets that match how the Mastodon team would like embedded content rendered with by default.
Motivation
This change would make it easier for the news media, bloggers, and everyone else to embed content from Mastodon into their websites without risking their security, without taking away their ability to control the layout of their content, and without imposing MB of overhead.
The text was updated successfully, but these errors were encountered:
Pitch
The problems with iframe-based embedding
Whereas most social media generates embeds that includes the text content of a post, Mastodon's current option for embedding posts/activity/toots on other websites as a single
iframe
element linking to a page containing the content, which has three significant shortcomings:frame
is implemented with both theallow-scripts
andallow-same-origin
attributes set, removing sandboxing. As a result, **a compromised mastodon server can compromise all web pages that embed content from it.)Proposal: content-inclusive embedding
Content-inclusive embedding creates HTML elements to embed that include at least the written content of the post. That content can be rendered even if the server is unavailable, can be styled/formatted by the embedder, and gives embedders the choice to capture the post (content and counters) at a moment in time or keep it updated. Updating requires 1% of the network overhead of
iframe
-based embedding (3k for script + 1 API call).The Mastodon v1 API already allows third-parties to support this approach, and as you can see from this proof of concept for generating content-inclusive embedding and the blog post accompanying it. However, better to make it first-party with default style sheets that match how the Mastodon team would like embedded content rendered with by default.
Motivation
This change would make it easier for the news media, bloggers, and everyone else to embed content from Mastodon into their websites without risking their security, without taking away their ability to control the layout of their content, and without imposing MB of overhead.
The text was updated successfully, but these errors were encountered: